spdx-sbom-generator
« Back to VersTracker
Description:
Support CI generation of SBOMs via golang tooling
Type: Formula  |  Tracked Since: Dec 28, 2025
Links: Homepage  |  formulae.brew.sh
Category: Developer tools
Tags: spdx sbom golang security compliance
Install: brew install spdx-sbom-generator
About:
spdx-sbom-generator is a command-line tool that automatically generates Software Bill of Materials (SBOMs) in the SPDX format from Go module dependencies. It scans the Go build manifest to create a comprehensive inventory of components, licenses, and checksums. This facilitates license compliance and vulnerability management within CI/CD pipelines.
Key Features:
  • Generates SPDX 2.2 and 2.3 compliant SBOMs
  • Automatic dependency detection from go.mod files
  • License and copyright metadata extraction
  • Supports multiple output formats (JSON, TagValue, YAML)
Use Cases:
  • Automating SBOM generation in CI/CD pipelines for compliance
  • Auditing open source license usage in Go projects
  • Generating artifacts for software supply chain security analysis
Alternatives:
  • syft – Syft is language-agnostic and supports many ecosystems, whereas spdx-sbom-generator is specialized for Go.
  • go-licenses – Focuses primarily on license discovery rather than full SBOM artifact generation.
Version History
Detected Version Rev Change Commit
Sep 13, 2024 10:02pm 0 VERSION_BUMP aa5773da
« Back to VersTracker  |  Browse Packages  |  About