Ingestion & Processing
An ingestion watcher and scalable parsing workers process SBOM and VEX jobs with SHA256 deduplication and queue-based scaling. Auto-detects SPDX, CycloneDX, and in-toto attestation envelopes.
Open Source Software Supply Chain Security
BOMHort ingests 1000+ SPDX and CycloneDX SBOMs, scans for vulnerabilities via OSV, enforces license compliance, and applies VEX statements — all visualized in a fast Angular dashboard backed by ClickHouse analytics.
Formerly known as SeeBOM — same project, same team, new name.
An ingestion watcher and scalable parsing workers process SBOM and VEX jobs with SHA256 deduplication and queue-based scaling. Auto-detects SPDX, CycloneDX, and in-toto attestation envelopes.
OSV batch lookups plus a daily CVE refresher continuously map newly disclosed CVEs back to affected projects — without re-scanning every SBOM.
Ships with the CNCF Allowed Third-Party License Policy. Externalized policy and exception files classify permissive, copyleft, and unknown licenses without rebuilds.
19 stateless REST endpoints power a modern Angular 19 dashboard with global search, virtual scrolling, dark mode, and CSS-variable theming — all configurable without a rebuild.
ClickHouse MergeTree tables and materialized views enable fast cross-project queries on PURLs, CVEs, licenses, and version skew across thousands of SBOMs.
Run locally with Docker Compose or a Kind cluster, or deploy to production Kubernetes with Helm charts for the API, workers, UI, and CronJobs. S3-native SBOM ingestion by default.
New regulations like the EU Cyber Resilience Act (CRA) and frameworks such as NIST SSDF and Executive Order 14028 make a Software Bill of Materials (SBOM) mandatory for products with digital elements. BOMHort gives security, compliance, and platform teams a single place to manage SBOMs at scale, run continuous vulnerability checks, and prove license and supply chain governance.
We ❤️ Collaboration
BOMHort is developed completely in the open as an OpenSSF Sandbox Project. Everybody is welcome to help make the vision of transparent software supply chains reality — from filing issues to shipping features.