Bomly docs

First scan, enrich, audit, diff — all in five minutes.

Install methods, `bomly` vs `bomly-lite`, checksum verification, upgrade, uninstall.

Recipes for PR gates, SBOMs, triage, and license and offline scans.

Local directories, Git repositories, container images, and existing SBOMs.

Text, JSON, SARIF, and SBOM artifacts — when to use each and how to combine them.

SPDX 2.3 vs. CycloneDX 1.6, when to pick which, ingest and conversion recipes.

How the scan pipeline is structured: targets, detectors, matchers, auditors.

How Bomly discovers projects and turns evidence into a dependency graph.

How Bomly enriches packages with vulnerability, license, and lifecycle data.

How Bomly turns vulnerability data into actionable findings.

Every Bomly term, one sentence each.

Every ecosystem and package manager Bomly can identify today.

All config keys, environment variables, and defaults.

Process exit values and what each one means for scripts and CI.

Keybindings, tabs, and filters for the --interactive terminal UI.

The SDK types behind detection, matching, and audit, and how they connect.

Drop-in recipes for GitHub Actions, GitLab, Jenkins, Azure DevOps, and CircleCI.

The turnkey GitHub Action that gates pull requests on dependency changes via `bomly diff`.

Common errors and how to fix them, organized by exit code and symptom.

Install, enable, verify, and build external detectors, matchers, and auditors.

Confirm whether a vulnerability is actually reachable from your code. Experimental.