Privacy policy

Bomly is a local CLI tool. It does not collect telemetry, usage analytics, crash reports, or phone-home data of any kind. Running bomly scan, bomly explain, or any other command produces no outbound network traffic by default.

When you pass --enrich, Bomly makes direct HTTPS requests to third-party public APIs to fetch vulnerability and license data. The current enrichment sources are OSV (osv.dev), CISA Known Exploited Vulnerabilities (cisa.gov), deps.dev, ClearlyDefined, and endoflife.date.

These requests are made directly from your machine to the respective services. Bomly does not proxy or log them. The data returned is used only for the current invocation and is not persisted unless you write it to disk yourself (e.g. with --output).

Some detectors — particularly those based on build tools — may resolve packages from package registries (such as npm or Maven Central) as part of building the dependency graph. This is inherent to how those build tools work and only occurs when analysing projects that use those ecosystems.

SBOMs, manifests, lock files, and container images are parsed and analysed entirely on your local machine. Nothing is uploaded to Bomly or any third party. The only outbound traffic is the enrichment calls described above, and only when you explicitly request them.

bomly.dev does not use cookies, advertising trackers, or fingerprinting of any kind. The site uses Firebase Analytics in a privacy-preserving configuration (no cross-site tracking, no advertising features) solely to understand aggregate page popularity. No personally identifiable information is collected or stored.

Bomly CLI is open source under the Apache 2.0 license. You can audit exactly what the binary does — including every network call it makes — by reading the source code at github.com/bomly-dev/bomly-cli.

If you have questions about this policy, open an issue or discussion at github.com/bomly-dev/bomly-cli.