bomly-cli

module
v0.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: Apache-2.0

README

Bomly CLI

Analyze Your Software DNA.

CI OpenSSF Scorecard Latest release Go Reference Go Report Card

Bomly is a free, open-source CLI for dependency intelligence. It scans source trees, SBOMs, Git refs, and container images; explains why dependencies are present; enriches packages with vulnerability and license data when you ask for it; evaluates policy; and writes automation-friendly output for CI.

One binary. No service to host. No telemetry. No outbound matcher calls unless you opt in with --enrich.

Install Bomly

# macOS / Linuxbrew
brew install bomly-dev/tap/bomly

# Linux / macOS install script
curl -fsSL https://bomly.dev/install.sh | sh

# Windows
winget install Bomly.BomlyCLI

Prebuilt archives and Linux packages are published from GitHub Releases. Releases include bomly (full binary with builtin Syft and Grype) and bomly-lite (smaller binary that shells out to external syft and grype).

Verify the install:

bomly version

For Linux packages, Scoop, Go install, checksums, pinned versions, upgrades, and uninstall instructions, see Installation.

Start With a Scan

# Scan the current project
bomly scan

# Scan a specific directory
bomly scan --path ./services/api

# Scan a container image
bomly scan --container ghcr.io/example/app:latest

# Scan a remote Git ref
bomly scan --url https://github.com/owner/repo --ref v1.2.3

# Read an existing SPDX or CycloneDX SBOM
bomly scan --sbom --path ./sbom.cdx.json

Bomly reads manifests, lockfiles, package-manager output, container layers, or existing SBOMs and turns them into one dependency graph. Native detectors cover Go, npm, pnpm, Yarn, Maven, Gradle, Python, Composer, Bundler, GitHub Actions, SBOM ingest, and more. Syft fills the long tail, including container images. See the Support Matrix and Scan Targets.

Bomly scan progress showing indexed subprojects, detected dependencies, enriched packages, and resolved graph

What Bomly Can Answer

Question Command
What do we depend on? bomly scan
What changed in this PR or branch? bomly diff --base main --head HEAD
Why is this package here? bomly explain lodash
Which findings matter to policy? bomly scan --enrich --audit --fail-on high
Can CI fail on high-severity findings? bomly scan --enrich --audit --fail-on high --format sarif
Can I triage reachable findings first? bomly scan --enrich --audit --analyze --fail-on high --fail-on reachable

For more recipes, see Getting Started and Use Cases.

Explore Interactively

Open the terminal UI when you want to inspect a graph by hand:

bomly scan --interactive

Use it to fuzzy-find packages, inspect versions and scopes, pivot through findings, and see how a dependency entered the graph without writing a report to disk. See Interactive TUI.

Bomly interactive TUI overview with component, vulnerability, license, target, and distribution panels

Enrich and Audit

By default, Bomly does not call vulnerability, license, lifecycle, or scorecard services. Add --enrich when you want external package intelligence:

# Fetch vulnerability and license data
bomly scan --enrich

# Evaluate policy against enriched package data
bomly scan --enrich --audit --fail-on high

# Add experimental reachability analysis
bomly scan --enrich --audit --analyze --fail-on high --fail-on reachable

Built-in enrichment uses public services such as OSV, CISA KEV, deps.dev, and OpenSSF Scorecard. --audit evaluates the vulnerability and license data already present on packages; use --enrich --audit when you want to fetch and evaluate in one run.

Reachability is experimental. It is useful for triage, but "unreachable" is not a guarantee of safety. Read Reachability before using --fail-on reachable as a CI gate.

Explain and Diff

Use explain when a transitive package shows up and you need the path:

bomly explain requests
bomly explain lodash --path ./web

Use diff when you need to review dependency changes across Git refs or SBOMs:

# Compare Git refs
bomly diff --base main --head HEAD

# Compare two SBOM files
bomly diff --sbom --base ./old.spdx.json --head ./new.spdx.json

See Getting Started for the first-run walkthrough and Use Cases for PR review, upgrade review, and incident triage recipes.

Generate Output for CI

Bomly can write human-readable text, JSON, SARIF, SPDX 2.3, and CycloneDX 1.6:

# Structured JSON for automation
bomly scan --json

# SARIF for security tabs and code-scanning integrations
bomly scan --enrich --audit --fail-on high --format sarif

# Write SBOMs while still showing the normal report
bomly scan -o spdx=sbom.spdx.json -o cyclonedx=sbom.cdx.json

# Emit one SBOM to stdout
bomly scan --format cyclonedx

Exit codes are stable for scripts: 0 for clean results, 2 for policy violations, and separate values for usage, runtime, and no-supported-project failures. See Output Formats, SBOM Formats, and Exit Codes.

To gate pull requests, use the Bomly Guard action or call the CLI directly from your workflow. See Bomly Guard and CI Integration.

GitHub pull request checks showing Bomly Guard failing a required dependency check

Use Bomly With AI Agents

Bomly can run as an MCP server so AI agents can call the same scan, explain, and diff capabilities you use on the command line:

bomly mcp serve

Add Bomly to an MCP-aware agent such as Claude Code, Cursor, VS Code, or a custom tool, and the agent receives structured JSON it can summarize or reason over. See Getting Started for setup recipes.

Configure and Extend

Bomly reads configuration from global config, project config, BOMLY_* environment variables, and CLI flags, with later sources taking precedence:

  1. ~/.bomly/config.yaml
  2. <project>/.bomly/config.yaml
  3. BOMLY_* environment variables
  4. CLI flags

Use --config <path> to add an explicit config file. See the generated Config Reference.

Managed plugins let you add detectors, matchers, and auditors without forking Bomly:

bomly plugin install github:bomly-dev/bomly-plugin-bun-lock-detector@v0.1.0
bomly plugin enable bomly.examples.detector.bun-lock
bomly plugin verify bomly.examples.detector.bun-lock

See Plugins for install, trust, and authoring guidance.

Documentation

Contributor setup lives in CONTRIBUTING.md. Architecture details live in docs/ARCHITECTURE.md.

Support

Bomly is an open-source project. If you find it useful, you can support the project by starring the repository, sharing feedback, opening issues, contributing improvements, or sponsoring ongoing maintenance.

See Support Bomly.

License

Bomly CLI is licensed under the Apache License 2.0.

Directories

Path Synopsis
cmd
bomly command
Command bomly scans source trees, SBOMs, Git refs, and container images for dependency intelligence.
Command bomly scans source trees, SBOMs, Git refs, and container images for dependency intelligence.
internal
analyzers/govulncheck
Package govulncheck implements a reachability analyzer for Go modules backed by govulncheck (https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck).
Package govulncheck implements a reachability analyzer for Go modules backed by govulncheck (https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck).
analyzers/jsreach
Package jsreach implements a Tier-3 (package-level) reachability analyzer for npm packages.
Package jsreach implements a Tier-3 (package-level) reachability analyzer for npm packages.
analyzers/jvmreach
Package jvmreach implements a Tier-3 (package-level) reachability analyzer for JVM-ecosystem packages (Maven, Gradle, SBT).
Package jvmreach implements a Tier-3 (package-level) reachability analyzer for JVM-ecosystem packages (Maven, Gradle, SBT).
analyzers/pyreach
Package pyreach implements a Tier-3 (package-level) reachability analyzer for Python packages.
Package pyreach implements a Tier-3 (package-level) reachability analyzer for Python packages.
benchmark
Package benchmark owns Bomly's hidden local dependency-graph benchmark.
Package benchmark owns Bomly's hidden local dependency-graph benchmark.
cli
cli/opts
Package opts resolves +/- selector expressions used by the CLI to filter detectors, auditors, matchers, and ecosystems.
Package opts resolves +/- selector expressions used by the CLI to filter detectors, auditors, matchers, and ecosystems.
cli/render
Package render owns CLI presentation primitives: ANSI styling, the startup logo, and SBOM output spec parsing.
Package render owns CLI presentation primitives: ANSI styling, the startup logo, and SBOM output spec parsing.
config
Package config defines Bomly's resolved CLI configuration shape.
Package config defines Bomly's resolved CLI configuration shape.
engine/diff
Package diff runs two engine pipelines and classifies their audit deltas.
Package diff runs two engine pipelines and classifies their audit deltas.
engine/scan
Package scan exposes the command-facing scan pipeline API.
Package scan exposes the command-facing scan pipeline API.
git
matchers
Package matchers contain shared contracts and helper functions for matcher implementations.
Package matchers contain shared contracts and helper functions for matcher implementations.
matchers/cache
Package cache provides shared on-disk caching helpers for matcher implementations.
Package cache provides shared on-disk caching helpers for matcher implementations.
matchers/depsdev
Package depsdev implements a Bomly license matcher backed by the deps.dev API.
Package depsdev implements a Bomly license matcher backed by the deps.dev API.
matchers/grype
Package grype implements a Matcher that uses the Grype vulnerability library (builtin) or the grype CLI binary (external), selected via build tags.
Package grype implements a Matcher that uses the Grype vulnerability library (builtin) or the grype CLI binary (external), selected via build tags.
matchers/osv
Package osv implements an engine.Auditor backed by the OSV (Open Source Vulnerabilities) API.
Package osv implements an engine.Auditor backed by the OSV (Open Source Vulnerabilities) API.
matchers/scorecard
Package scorecard implements an sdk.Matcher that enriches packages with upstream-project security-posture data from the OpenSSF Scorecard public API (api.scorecard.dev).
Package scorecard implements an sdk.Matcher that enriches packages with upstream-project security-posture data from the OpenSSF Scorecard public API (api.scorecard.dev).
mcp
progress
Package progress renders a CLI progress display: a live region of per-step lines, each animating its own spinner and bubbles-rendered progress bar, plus a stream of completed steps that get promoted in place (rewritten as a past-tense title with their child tree) and scroll into history as new steps start.
Package progress renders a CLI progress display: a live region of per-step lines, each animating its own spinner and bubbles-rendered progress bar, plus a stream of completed steps that get promoted in place (rewritten as a past-tense title with their child tree) and scroll into history as new steps start.
tui
Package sdk is Bomly's public Go contract for dependency graphs, package enrichment, policy findings, and managed external plugins.
Package sdk is Bomly's public Go contract for dependency graphs, package enrichment, policy findings, and managed external plugins.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL