Security SBOM generator with vulnerability chechup
March 23, 2026 131

πŸ› Security SBOM generator with vulnerability chechup

Salute,

Today I want to share a tula that I twirled on the yoke. This tool helps you quickly and in a more convenient form collect SBOM for a project; this will be especially useful for certification according to FSTEC of Russia, including monitoring your supply-chain.

Tula is built in such a way that you don’t have to fumble around with dependencies, but get a normal, structured picture of the software’s composition. that is, a clear map of components, versions and metadata, which further helps with auditing, supply chain risks and checking vulnerabilities for each component.

It is this approach that fits well in practices where the SBOM is generated automatically from a repository or assembly artifact, and then used further in pipelines and control systems.

How does it work?

β€’ Generates a project SBOM in one of the standard formats so that it can be further transferred to other tools or stored as an artifact

β€’ Helps bring the result into a more convenient form, so that the SBOM is not just a β€œdamp sheet”, but is readable

β€’ Suitable for automation in CI/CD, as a permanent part of the supply-chain process

β€’ Can be used as a starting point for further analysis of dependencies, licenses and vulnerabilities

β€’ Can be used for certification in FSTEC of Russia according to the requirements of the testing laboratory, including

β€’ Works well in scenarios where you need to quickly export dependencies and then run them through security tools or load them into an external loop

Functionally

β€’ Generates SBOM from a local directory or Git repository (GitHub / GitLab)

β€’ Scans vulnerabilities via Trivy, OWASP Dependency-Check, Clair

β€’ Embeds detected vulnerabilities into SBOM (CycloneDX 1.5)

β€’ Exports readable reports: Excel (.xlsx), Word (.docx), ODT (.odt)

β€’ Signs the resulting SBOM (SHA-256)

Why?

β€’ Before release, to understand what it consists of and what dependencies are used

β€’ In CI/CD, so that the SBOM is automatically generated for each build or release and it is possible to check workarounds from commands for used dependencies

β€’ For security review, when you need to quickly show the composition of dependencies and risk points

β€’ For compliance and supply-chain control

I plan to tighten it up

β€’ More flexible generation modes for different types of projects

β€’ Make post-processing and result validation more convenient

Links

β€’ PyPi

β€’ DockerHub

β€’ Github Package

Structure

sbom_genform/

β”œβ”€β”€ src/sbom_pipeline/

β”‚ β”œβ”€β”€ cli.py #secsbom/secsbom-pipeline (typer)

β”‚ β”œβ”€β”€ pipeline.py # orchestrator

β”‚ β”œβ”€β”€ generate.py # SBOM generation

β”‚ β”œβ”€β”€ dedup.py # deduplication

β”‚ β”œβ”€β”€ sign.py # SHA-256 signature

β”‚ β”œβ”€β”€ exporter.py #xlsx/docx/odt

β”‚ β”œβ”€β”€ vuln_merger.py # embedding vulnerabilities

β”‚ β”œβ”€β”€ config.py # configuration

β”‚ └── scanner/

β”‚ β”œοΏ½οΏ½β”€ trivy.py

β”‚ β”œβ”€β”€ depcheck.py

β”‚ └──clair.py

β”œβ”€β”€docker/

β”‚ └── Dockerfile.secgensbom

β”œβ”€β”€ examples/project_inject/ # vulnerable PHP

β”œβ”€β”€ secgensbom/secgensbom.yml # GitLab CI shared template

β”œβ”€β”€ .github/workflows/

β”‚ β”œβ”€β”€ ci.yml

β”‚ β”œβ”€β”€ secgensbom.yml

β”‚ └── publish.yml

β”œβ”€β”€ tests/test_smoke.py

β”œβ”€β”€ pyproject.toml

└── .env.example

#appsec #devsecops #specialty #toolchain #techsolution #paper #sbom

#appsec#devsecops#specialty#toolchain#techsolution#paper#sbom
Open in Telegram