CBOM Tooling

Open source tools for generating, validating, and analyzing CBOM documents.

cbom-scan

Coming Q3 2026

CLI scanner for automated CBOM generation from TLS configurations, source code, certificates, and cloud infrastructure.

Supported Scanners

TLS configuration parsing (nginx, Apache, HAProxy)
Source code crypto library detection (Python, Java, Go, Node.js)
Certificate chain enumeration
Cloud KMS inventory (AWS, Azure, GCP)
Rich CLI output with compliance reporting

Preview

$ cbom-scan --target ./myapp --format json

Scanning source code... 47 crypto components found

Scanning TLS configs... 3 endpoints analyzed

Scanning certificates... 12 certs enumerated

Warning: 23 quantum-vulnerable components detected

Output: myapp.cbom.json (62 components)

View on GitHub

CBOM Validator

Available Now

Validate CBOM documents against the official JSON Schema (Draft 2020-12). Ensure conformance to the specification.

Python

pip install jsonschema

import json, jsonschema

schema = json.load(open('cbom-v1.0.0.schema.json'))
doc = json.load(open('my-system.cbom.json'))
jsonschema.validate(doc, schema)
# Raises ValidationError if non-conformant

Node.js

npm install ajv ajv-formats

import Ajv from 'ajv';
const ajv = new Ajv();
const validate = ajv.compile(schema);
validate(doc); // true or false

View Schema

Get notified when cbom-scan is released

Be the first to know when new tooling is available.

Subscribe for Updates