SBOM-Tools

38 posts

SBOM-Tools banner
SBOM-Tools

SBOM-Tools

@sbom_tools

OSS Semantic SBOM diff and TUI analysis tool. Compares CycloneDX/SPDX files to component changes, dependency shifts, license conflicts, and vulnerabilities.

CI/CD Build Pipelines Katılım Ocak 2026
1 Takip Edilen207 Takipçiler
Sabitlenmiş Tweet
SBOM-Tools
SBOM-Tools@sbom_tools·
sbom.tools is officially live🚀
SBOM-Tools tweet media
English
4
23
108
15.9K
SBOM-Tools
SBOM-Tools@sbom_tools·
🪄✨Announcing sbom-tools v0.1.16 — open-source SBOM analysis that helps you spot supply chain gaps faster. This release adds broader CycloneDX/SPDX + VEX support, OSV/CISA KEV enrichment, semantic diffing, quality scoring, and compliance checks. Try it: github.com/sbom-tool/sbom…
English
3
39
165
20.5K
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
Get insights into your software supply chain, now free and open source. SBOMs are a powerful type of report. If you generate them, make sure you’re collecting and monitoring them at scale.
SBOM-Tools@sbom_tools

🪄✨Announcing sbom-tools v0.1.16 — open-source SBOM analysis that helps you spot supply chain gaps faster. This release adds broader CycloneDX/SPDX + VEX support, OSV/CISA KEV enrichment, semantic diffing, quality scoring, and compliance checks. Try it: github.com/sbom-tool/sbom…

English
0
4
16
3.2K
SBOM-Tools
SBOM-Tools@sbom_tools·
🧭The TUI makes exploration easier at scale - 10 tabs across components, vulns, licenses, dependencies, compliance, and quality - Semantic diffing - Cross-tab navigation - Tree + raw JSON views with search, bookmarks, fold/unfold, and bracket matching github.com/sbom-tool
SBOM-Tools tweet media
English
1
0
4
154
SBOM-Tools
SBOM-Tools@sbom_tools·
🔐Built for trust - SLSA Level 3 provenance - Sigstore signing + build attestations - Dual-format SBOMs (CycloneDX + SPDX) with every release github.com/sbom-tool/sbom… Install via cargo, Homebrew, or prebuilt binaries for 5 platforms. brew install sbom-tool/tap/sbom-tools
English
2
0
4
193
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
Nice blog! This hits a real pain point with current SAST tooling. Most of it just runs a bunch of generic checks without understanding the actual threat model or where the real security boundaries are. That lack of semantic context is exactly the issue, I’ve been arguing for a while that detection logic needs to be context-aware, and trying to bolt that on manually with rules just doesn’t scale. This is a very natural place for LLMs to add value. With AI accelerating code production, we also need to move beyond the simple rubric of “bug exists -> reachable -> fix it.” That model breaks down at scale (reachable != exploitable). What’s missing is deeper context around exploitability, and how real is the risk, what’s the blast radius, and what actually matters to fix first. That’s the layer that will drive meaningful prioritization. Also, using LLMs purely for triaging SAST findings after the fact gets expensive very quickly at scale. It’s the easiest path, so a lot of tools go there now, but without deeper integration into the analysis pipeline, it’s a pretty inefficient approach.
Alex Matrosov tweet media
English
1
6
14
2.4K
SBOM-Tools
SBOM-Tools@sbom_tools·
Working on a new release with a number of improvements. Refining the TUI workflows to allow seamless context switching between components, vulnerabilities, and dependencies tabs, improving visibility into how the data connects.
SBOM-Tools tweet media
English
0
1
4
901
SBOM-Tools
SBOM-Tools@sbom_tools·
🚀[New Release] GH-Guard v0.2.0 shipped /audit your repo /harden to your level SHA-pinned actions, Trusted Publishing, SLSA L3 provenance, cargo-deny, and more. All generated from templates with one command. Thanks for the feedback, @qkaiser! github.com/sbom-tool/gh-g…
Alex Matrosov@matrosov

I’m building gh-guard (Claude plugin) because secure OSS release engineering is still way too hard, and recent incidents only confirm that this problem exists at scale. After hardening the release pipeline for @sbom_tools, I realized the same thing keeps happening across open source: maintainers are forced to rebuild the same supply chain security controls from scratch, repo by repo. The problem is not that we don’t know what “good” looks like. The problem is that doing it well is still too manual, too fragmented, and too easy to get wrong. So I built gh-guard — a Claude Code plugin for Rust projects that helps audit and harden CI/CD and release pipelines with secure defaults. It focuses on the following controls: - SHA-pinned GitHub Actions - least-privilege workflow permissions - trusted publishing with OIDC - SLSA provenance - release and tag guardrails - dependency and workflow drift checks github.com/sbom-tool/gh-g…

English
1
2
6
1.1K
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
The dream of a fast and reliable binary analysis framework is now a reality. Today, we’re open sourcing VulHunt.RE 🎉 code: github.com/vulhunt-re/vul… docs: vulhunt.re/docs A huge kudos to the entire REsearch team!
Alex Matrosov@matrosov

This year at @REverseConf, we’re dropping something special, a project we’ve been heads-down on for a while that boosts semantic-level binary detection with reachability + taint analysis. Like CodeQL/Semgrep, but for binaries. VulHunt use cases: Vuln REsearch: binarly.io/blog/vulnerabi… Detection Eng: binarly.io/blog/vulhunt-i… VH Intro: binarly.io/blog/vulhunt-i…

English
4
94
382
34.6K
SBOM-Tools retweetledi
Quentin Kaiser
Quentin Kaiser@qkaiser·
we’ve just merged improvements to unblob’s supply chain security thanks to gh-guard, if you maintain OSS check it out !
Alex Matrosov@matrosov

I’m building gh-guard (Claude plugin) because secure OSS release engineering is still way too hard, and recent incidents only confirm that this problem exists at scale. After hardening the release pipeline for @sbom_tools, I realized the same thing keeps happening across open source: maintainers are forced to rebuild the same supply chain security controls from scratch, repo by repo. The problem is not that we don’t know what “good” looks like. The problem is that doing it well is still too manual, too fragmented, and too easy to get wrong. So I built gh-guard — a Claude Code plugin for Rust projects that helps audit and harden CI/CD and release pipelines with secure defaults. It focuses on the following controls: - SHA-pinned GitHub Actions - least-privilege workflow permissions - trusted publishing with OIDC - SLSA provenance - release and tag guardrails - dependency and workflow drift checks github.com/sbom-tool/gh-g…

English
0
3
8
1.3K
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
I’m building gh-guard (Claude plugin) because secure OSS release engineering is still way too hard, and recent incidents only confirm that this problem exists at scale. After hardening the release pipeline for @sbom_tools, I realized the same thing keeps happening across open source: maintainers are forced to rebuild the same supply chain security controls from scratch, repo by repo. The problem is not that we don’t know what “good” looks like. The problem is that doing it well is still too manual, too fragmented, and too easy to get wrong. So I built gh-guard — a Claude Code plugin for Rust projects that helps audit and harden CI/CD and release pipelines with secure defaults. It focuses on the following controls: - SHA-pinned GitHub Actions - least-privilege workflow permissions - trusted publishing with OIDC - SLSA provenance - release and tag guardrails - dependency and workflow drift checks github.com/sbom-tool/gh-g…
Alex Matrosov tweet media
English
0
9
34
5.5K
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
Shipping a secure open-source project isn’t easy, especially with today’s software supply chain complexity. So I wanted to zoom in and break down what it actually takes (in my case, a Rust project) to ship releases with confidence. I’ve been building @sbom_tools, and just wrapped up a sprint to harden the entire release pipeline. Here’s what the supply chain security posture looks like now: Release Pipeline (fully automated): - Trusted Publishing (OIDC) to , zero long-lived API tokens - SLSA Build Level 3 provenance attached to every GitHub Release - SSH-signed tags with tag immutability enforced at the org level - Tag-to-Cargo.toml version verification + main branch ancestry check CI/CD Security Layers: - 10-job CI gate: clippy, rustfmt, MSRV check, 4-platform test matrix, cargo-deny (licenses + bans + advisories), cargo-audit - CodeQL (Rust native SAST) on every push and PR - 6 fuzz targets covering all SBOM parser entry points - OpenSSF Scorecard running weekly with SARIF integration - All GitHub Actions SHA-pinned, permissions: read-only. Current @OpenSSF Scorecard: 7.5/10 (expecting ~9+ after score recalculation from the latest updates). This is the kind of effort every OSS maintainer should take on, owning your supply chain reduces the risk of putting users in danger.
Alex Matrosov tweet media
English
2
10
65
5.6K
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
Modern software supply chains have gotten wildly complex, and OSS projects are no exception. I’ve been using GitNexus to build a knowledge graph over the @sbom_tools repo, and it’s beautiful, but also kind of terrifying how much code I’ve been cranking out lately with my buddy @claudeai. github.com/abhigyanpatwar…
Alex Matrosov tweet media
English
1
7
39
3.6K
SBOM-Tools retweetledi
Alex Matrosov
Alex Matrosov@matrosov·
Most folks treat SBOMs like checkbox compliance. But for enterprises, it’s often the only visibility into vendor dependencies. We upgraded SBOM.Tools quality checks to stop rewarding missing data and to surface stub SBOMs. Check it out and give us feedback.
SBOM-Tools@sbom_tools

x.com/i/article/2027…

English
0
6
21
4.6K

Keşfet

@qkaiser @matrosov @OpenSSF @claudeai @IceSolst @elonmusk @BarackObama @taylorswift13