BOMHort dragon mascot BOMHort

Open Source Software Supply Chain Security

Kubernetes-native SBOM visualization & governance at scale.

BOMHort ingests 1000+ SPDX and CycloneDX SBOMs, scans for vulnerabilities via OSV, enforces license compliance, and applies VEX statements — all visualized in a fast Angular dashboard backed by ClickHouse analytics.

Formerly known as SeeBOM — same project, same team, new name.

OpenSSF Sandbox Project

Ingestion & Processing

An ingestion watcher and scalable parsing workers process SBOM and VEX jobs with SHA256 deduplication and queue-based scaling. Auto-detects SPDX, CycloneDX, and in-toto attestation envelopes.

Vulnerability Intelligence

OSV batch lookups plus a daily CVE refresher continuously map newly disclosed CVEs back to affected projects — without re-scanning every SBOM.

License Governance

Ships with the CNCF Allowed Third-Party License Policy. Externalized policy and exception files classify permissive, copyleft, and unknown licenses without rebuilds.

API & UI

19 stateless REST endpoints power a modern Angular 19 dashboard with global search, virtual scrolling, dark mode, and CSS-variable theming — all configurable without a rebuild.

Data Platform

ClickHouse MergeTree tables and materialized views enable fast cross-project queries on PURLs, CVEs, licenses, and version skew across thousands of SBOMs.

Deployment

Run locally with Docker Compose or a Kind cluster, or deploy to production Kubernetes with Helm charts for the API, workers, UI, and CronJobs. S3-native SBOM ingestion by default.

Built for SBOM management and Cyber Resilience Act readiness

New regulations like the EU Cyber Resilience Act (CRA) and frameworks such as NIST SSDF and Executive Order 14028 make a Software Bill of Materials (SBOM) mandatory for products with digital elements. BOMHort gives security, compliance, and platform teams a single place to manage SBOMs at scale, run continuous vulnerability checks, and prove license and supply chain governance.

  • SBOM management: ingest and normalize thousands of SPDX and CycloneDX SBOMs from files or S3, deduplicated by hash.
  • Vulnerability check: continuous OSV-backed CVE scanning with a daily refresher and VEX-aware effective/suppressed status.
  • License compliance: CNCF-based permissive/copyleft classification with exception handling.
  • CRA & audit readiness: transparent, queryable evidence of software composition and remediation across all projects.

We ❤️ Collaboration

Built in the open, together.

BOMHort is developed completely in the open as an OpenSSF Sandbox Project. Everybody is welcome to help make the vision of transparent software supply chains reality — from filing issues to shipping features.

Our contributors

BOMHort contributors