SBOM (Software Bill of Materials) tools generate, analyze, and manage machine-readable inventories of every component in your software — libraries, frameworks, and their versions. With the EU Cyber Resilience Act requiring SBOM delivery by December 2027 and US Executive Order 14028 already mandating SBOMs for federal software procurement, these tools have moved from optional to essential for compliance and supply chain security.
Why SBOM tools matter in 2026
A Software Bill of Materials (SBOM) is a machine-readable inventory of every component in a piece of software – libraries, frameworks, dependencies, and their versions. Think of it as a nutrition label for code. Without one, answering “are we affected by this new CVE?” requires re-scanning every application from scratch. With one, the answer takes seconds.
SBOM tooling has moved from optional to urgent. Three forces are driving the shift.
Regulation is no longer theoretical. US Executive Order 14028 already requires SBOMs for software sold to federal agencies. The EU Cyber Resilience Act begins enforcing vulnerability reporting obligations in September 2026 and full SBOM requirements by December 2027. PCI DSS 4.0 requires a component inventory for cardholder-data environments. Organizations that sell software into these markets need tooling in place now, not next year.
Supply chain attacks keep escalating. SolarWinds, Log4Shell, the XZ Utils backdoor – each incident exposed how little visibility most organizations had into their dependency chains. An SBOM does not prevent these attacks, but it compresses response time from weeks to hours. When the next critical CVE drops, the teams with SBOMs already know which applications are affected.
Software is mostly assembled, not written. The Synopsys 2024 OSSRA report found that 96% of commercial codebases contain open-source components. The Linux Foundation estimates 70-90% of a typical application is third-party code. Securing the software you write is necessary. Securing the software you ship – including everything you pulled from npm, PyPI, Maven Central, and Docker Hub – requires an inventory.
For background on the concept itself, read our What is SBOM? explainer.
CycloneDX vs SPDX: choosing an SBOM format
Two formats dominate the SBOM space. Both are accepted by US and EU regulators. Both are machine-readable. The right choice depends on your primary use case.
CycloneDX
CycloneDX is an OWASP-maintained standard designed with security as its primary focus. The current version is 1.7, released October 2025. It supports multiple BOM types beyond software: SaaSBOM, HBOM (hardware), AI/ML-BOM, and CBOM (cryptographic). Native VEX (Vulnerability Exploitability eXchange) support lets you communicate whether a vulnerability actually affects your product, directly inside the SBOM.
CycloneDX is available in JSON, XML, and Protocol Buffers. Its lightweight schema makes it the faster option to generate and parse in CI/CD pipelines. Most security teams prefer it.
SPDX
SPDX (Software Package Data Exchange) is a Linux Foundation standard with ISO/IEC 5962:2021 certification. It originated in the licensing and compliance space and has since expanded to cover security use cases with version 3.0. SPDX serializes in JSON, XML, RDF, and Tag-Value formats.
SPDX has the deepest support for license compliance tracking. Legal teams, procurement departments, and government agencies that care primarily about open-source license obligations tend to prefer it.
Format comparison
| Feature | CycloneDX | SPDX |
|---|---|---|
| Primary focus | Security and vulnerability management | License compliance (expanded to security) |
| VEX support | Native, first-class | Supported via external linking (SPDX 3.0) |
| Serialization | JSON, XML, Protocol Buffers | JSON, XML, RDF, Tag-Value |
| Governance | OWASP | Linux Foundation (ISO/IEC 5962:2021) |
| BOM types | SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM | SBOM focused |
| Best for | Security teams, DevSecOps | Legal review, license compliance |
| Current version | 1.7 (October 2025) | 3.0 |
When to use which. If your primary driver is security and vulnerability management, start with CycloneDX. If your primary driver is license compliance for legal review, start with SPDX. Many organizations generate both – CycloneDX for their security team and SPDX for their legal team. Every tool in this comparison supports at least both formats.
SBOM generation tools
Generation is the first step. These tools scan your source code, container images, and filesystems to produce an SBOM listing every component and its version.
Syft
Syft is Anchore’s open-source SBOM generator and the most popular standalone tool in this category. With 8.4k GitHub stars and 219 contributors, it has become the default choice for teams that want fast, reliable SBOM output without a commercial license.
Syft scans container images (Docker, OCI, Singularity), filesystems, and archive files. It auto-detects dozens of package ecosystems – Alpine, Debian, RPM, npm, pip, Maven, Go modules, Cargo, Composer, NuGet, and more – without requiring configuration. Output formats include CycloneDX, SPDX, and Syft’s own JSON format.
The tool runs entirely offline with no cloud dependencies. Point it at an image or directory, and you get a complete SBOM in seconds. Pair it with Grype for vulnerability scanning: Syft generates the inventory, Grype checks it against CVE databases. The official GitHub Action (anchore/sbom-action) makes CI/CD integration straightforward.
Best for: Teams that need a dedicated, fast SBOM generator without the overhead of a full SCA platform.
Trivy
Trivy is Aqua Security’s all-in-one scanner with 32.2k GitHub stars. While it is primarily known for vulnerability and IaC scanning, Trivy also generates SBOMs in CycloneDX and SPDX formats directly from container images and filesystems.
The advantage of Trivy is consolidation. If your team already uses it for vulnerability scanning, adding SBOM generation requires zero additional tooling – just change the output format flag. Trivy covers the same language ecosystems as Syft (Go, Java, Node.js, Python, Ruby, Rust, PHP, .NET, and more) and scans container images, git repos, and Kubernetes clusters.
# Generate CycloneDX SBOM with Trivy
trivy image --format cyclonedx myapp:latest > sbom.json
# Generate SPDX SBOM
trivy image --format spdx-json myapp:latest > sbom.spdx.json
Best for: Teams already using Trivy for vulnerability or IaC scanning who want SBOM generation without adding another tool.
CycloneDX CLI and build plugins
The CycloneDX project maintains language-specific build plugins for Maven, Gradle, npm, pip, Go, Rust, .NET, and others. These plugins hook directly into your build system and produce CycloneDX SBOMs from the resolved dependency tree.
The CycloneDX CLI tool handles format conversion, validation, and merging of SBOMs from different sources. If you need to combine SBOMs from a Java backend and a Node.js frontend into a single inventory, the CLI handles that.
The build plugin approach produces the most accurate SBOMs for source-level analysis because it uses the same dependency resolution your build system uses. The tradeoff is that you need a plugin per language ecosystem, rather than a single binary.
Best for: Teams that want the highest accuracy SBOM from their build system, or need to combine SBOMs from multi-language projects.
FOSSA
FOSSA is a commercial SCA platform where license compliance is the primary differentiator. It generates SBOMs in CycloneDX and SPDX formats across 17+ languages and 20+ build systems.
Where FOSSA goes beyond pure generation is its SBOM Portal – a centralized distribution point where you share SBOMs with customers, auditors, and partners using access tokens. It also imports third-party SBOMs for tracking. FOSSA’s license detection engine claims 99.8% accuracy, which matters when your legal team needs to verify open-source obligations alongside the security inventory.
FOSSA supports binary composition analysis for scanning compiled artifacts (JARs, DLLs) when source code is not available. A free tier covers basic scanning for smaller projects.
Best for: Organizations that need license compliance tracking alongside SBOM generation, or need a centralized SBOM distribution portal.
Anchore Enterprise
Anchore Enterprise extends the open-source Syft and Grype tools into a platform with centralized SBOM management, continuous monitoring, and compliance automation.
The key differentiator is lifecycle management. Anchore Enterprise stores every SBOM generated from your pipeline and continuously matches them against updated vulnerability feeds. When a new CVE is published, it identifies affected images instantly without requiring a rescan. Pre-built compliance policy packs automate checks for FedRAMP, NIST 800-53, and DISA standards.
The platform includes policy-based admission control for Kubernetes, secret and malware detection in container image layers, and a Federal Edition that supports air-gapped deployment from IL2 through IL6 classified environments.
Best for: Government agencies, defense contractors, and regulated enterprises that need SBOM lifecycle management with compliance automation.
Microsoft SBOM Tool
Microsoft’s open-source SBOM Tool generates SPDX SBOMs and is used internally across Microsoft’s products. It scans project directories and produces SPDX 2.2 output with component hashes for integrity verification.
The tool integrates with Azure DevOps pipelines and supports common package ecosystems (npm, NuGet, pip, Maven, Go). It is more narrowly focused than Syft – SPDX output only, no CycloneDX – but it is a solid choice for organizations already invested in the Microsoft ecosystem.
Best for: Teams on Azure DevOps that need SPDX-formatted SBOMs.
Tern
Tern is a Linux Foundation project focused specifically on container image analysis. It inspects Dockerfile instructions and image layers to identify packages, mapping each component back to the specific layer that installed it.
Tern outputs in SPDX, CycloneDX, and its own JSON format. Its layer-level attribution is useful for understanding which base image or build step introduced a particular dependency. Development has slowed compared to Syft and Trivy, but it remains a viable option for teams that want deep container provenance.
Best for: Teams that need layer-by-layer attribution of components in container images.
SBOM analysis and lifecycle management
Generating an SBOM is step one. The next step is using that inventory to find vulnerabilities, track risk over time, and respond when new CVEs drop.
Dependency-Track
OWASP Dependency-Track is an open-source platform for continuous SBOM monitoring. Upload CycloneDX or SPDX SBOMs from any generation tool, and Dependency-Track correlates every component against NVD, GitHub Security Advisories, Sonatype OSS Index, and OSV.
Unlike build-time scanners, Dependency-Track maintains a persistent inventory. When a new CVE is published, it immediately identifies every project that contains the affected component – without requiring a rescan. The platform tracks risk trends across your entire application portfolio with dashboards, policy engine, and alerting.
Deploy it with Docker Compose and feed it SBOMs from Syft or Trivy in your CI pipeline. It is an OWASP Flagship Project with 3.6k GitHub stars.
Best for: Organizations managing multiple applications that need continuous, portfolio-wide vulnerability monitoring from SBOMs.
Grype
Grype is Anchore’s open-source vulnerability scanner that accepts SBOMs as input. It matches components against NVD, GitHub Security Advisories, and distribution-specific feeds, then ranks findings using a composite risk score that combines CVSS severity, EPSS exploit probability, and KEV catalog status.
The Syft-plus-Grype workflow is a common pattern: generate an SBOM once with Syft, then rescan it with Grype whenever vulnerability databases update. No need to re-analyze the original image. Grype outputs table, JSON, SARIF, and CycloneDX formats for CI/CD integration.
# Scan an SBOM file with Grype
grype sbom:./sbom.json
# Pipe Syft output directly to Grype
syft alpine:latest -o cyclonedx-json | grype
Best for: Teams that want fast, SBOM-based vulnerability scanning in CI/CD without infrastructure or licensing costs.
GUAC
GUAC (Graph for Understanding Artifact Composition) is a Google-initiated open-source project that aggregates software supply chain metadata – SBOMs, SLSA attestations, vulnerability data, and scorecard results – into a queryable graph database.
Where Dependency-Track tracks vulnerabilities against SBOMs, GUAC connects SBOMs with build provenance, source attestations, and organizational context. You can query relationships like “show me every deployment that uses a package built without SLSA Level 2 provenance.” The project is still maturing but represents the next evolution of SBOM analysis.
Best for: Organizations building advanced supply chain security programs that need to correlate SBOMs with provenance, attestations, and policy data.
Bomber
Bomber is a lightweight open-source tool that scans SBOM files for known vulnerabilities. It reads CycloneDX and SPDX SBOMs and checks components against multiple providers (OSV, Snyk, OSS Index). It is simpler than Grype – no image scanning, no filesystem scanning, just SBOM-in, vulnerabilities-out.
Best for: Teams that want the simplest possible SBOM vulnerability check without the broader feature set of Grype.
Feature comparison table
Generation tools
| Tool | License | Formats | Language ecosystems | Container support | CI/CD integration | Vuln matching |
|---|---|---|---|---|---|---|
| Syft | Apache 2.0 | CycloneDX, SPDX | 30+ | Docker, OCI, Singularity | GitHub Action | No (pair with Grype) |
| Trivy | Apache 2.0 | CycloneDX, SPDX | 15+ | Docker, OCI | GitHub Action, GitLab CI | Yes (built-in) |
| CycloneDX plugins | Apache 2.0 | CycloneDX | Per-plugin | No | Build system native | No |
| FOSSA | Freemium | CycloneDX, SPDX | 17+ | Yes | GitHub, GitLab, Jenkins | Yes |
| Anchore Enterprise | Commercial | CycloneDX, SPDX | 30+ | Docker, OCI | GitHub, GitLab, Jenkins | Yes (continuous) |
| Microsoft SBOM Tool | MIT | SPDX | 10+ | Limited | Azure DevOps | No |
| Tern | BSD-2 | CycloneDX, SPDX | OS packages | Docker | Limited | No |
Analysis and management tools
| Tool | License | SBOM input | Continuous monitoring | Vulnerability sources | Portfolio tracking |
|---|---|---|---|---|---|
| Dependency-Track | Apache 2.0 | CycloneDX, SPDX | Yes | NVD, GHSA, OSV, OSS Index | Yes |
| Grype | Apache 2.0 | CycloneDX, SPDX, Syft JSON | No (point-in-time) | NVD, GHSA, distro feeds | No |
| GUAC | Apache 2.0 | CycloneDX, SPDX | Graph-based | Multiple (via integration) | Yes (graph queries) |
| Bomber | MIT | CycloneDX, SPDX | No | OSV, Snyk, OSS Index | No |
Regulatory requirements
SBOM mandates are live in multiple jurisdictions. Here is what each regulation specifically requires and when.
US Executive Order 14028
Signed May 2021, EO 14028 requires software vendors selling to US federal agencies to provide SBOMs as part of their software supply chain security practices. NIST published minimum elements guidance defining what an SBOM must contain: supplier name, component name, version, dependency relationships, author, and timestamp. SBOMs must be machine-readable in CycloneDX or SPDX format.
Federal agencies are already enforcing this in procurement. If you sell software to the US government, SBOM generation is not optional.
EU Cyber Resilience Act (CRA)
The CRA applies to manufacturers of products with digital elements sold in the EU market. The timeline has two phases:
- September 2026: Vulnerability and incident reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities within 24 hours.
- December 2027: Full compliance required, including machine-readable SBOM delivery as part of technical documentation, available for audit by market surveillance authorities.
The CRA affects any software, firmware, or connected device sold in the EU. Open-source projects that are not monetized are exempt, but commercial products that incorporate open-source components are not.
PCI DSS 4.0
PCI DSS 4.0 requires organizations handling payment card data to maintain an inventory of all software components, both custom and third-party, and a process for identifying vulnerabilities in those components. While it does not explicitly mandate “SBOM” by name, the inventory requirement maps directly to what SBOM tooling produces.
FDA medical device guidance
Since October 2023, the FDA requires an SBOM as part of premarket cybersecurity submissions for medical devices. All commercial, open-source, and off-the-shelf software components must be disclosed with versions and known vulnerabilities.
What this means for tooling
The regulations converge on the same requirement: know what is in your software and prove it with a machine-readable inventory. Any tool that generates CycloneDX or SPDX output meets the format requirement. The choice between open-source and commercial depends on whether you also need lifecycle management, audit reporting, and policy enforcement.
How to choose
SBOM tooling is not a single-tool problem. Most organizations need a combination: one tool to generate, another to analyze, and possibly a third to manage and distribute.
Start with the question: what do you need?
Just generation for compliance? Syft or Trivy. Both are free, produce CycloneDX and SPDX output, and integrate into CI/CD in minutes. If you already use Trivy for vulnerability scanning, use its SBOM output flag. If you want a dedicated generator, use Syft.
Vulnerability matching against SBOMs? Add Grype. It accepts Syft output directly and scans against multiple vulnerability databases with EPSS-based risk scoring.
Continuous monitoring across a portfolio? Add Dependency-Track. Upload SBOMs from your CI pipeline and get alerts when new CVEs affect components you already shipped.
License compliance alongside security? FOSSA or Black Duck. These platforms track license obligations, generate attribution reports, and provide SBOM portals for distribution.
Government compliance with policy enforcement? Anchore Enterprise. Pre-built policy packs for FedRAMP, NIST, and DISA, with air-gapped deployment for classified environments.
Open-source vs commercial
The open-source stack – Syft, Grype, and Dependency-Track – covers generation, vulnerability scanning, and continuous monitoring at no cost. It handles the core requirements of EO 14028 and CRA. The tradeoff is that you manage the infrastructure, write your own policies, and build your own reporting.
Commercial platforms like FOSSA, Anchore Enterprise, and Snyk add license intelligence, pre-built compliance frameworks, audit-ready reports, and support contracts. The added cost makes sense when your compliance requirements go beyond “generate and scan” into “prove it to an auditor.”
Recommended stacks
Startup / small team: Syft + Grype in CI/CD. Generate SBOMs on every build, scan for vulnerabilities, fail the pipeline on critical findings. Total cost: zero.
Mid-size engineering org: Syft + Grype + Dependency-Track. Add continuous monitoring so new CVEs trigger alerts against deployed applications. Host Dependency-Track on Docker or Kubernetes.
Enterprise / regulated industry: Anchore Enterprise or FOSSA for centralized management, plus Dependency-Track for portfolio-wide monitoring. Add CycloneDX build plugins for the most accurate per-project SBOMs.
Government / defense: Anchore Enterprise Federal Edition with air-gapped deployment, FedRAMP policy packs, and SBOM attestation support.
FAQ
Further reading: What is SBOM? | What is SCA? | SCA Tools | Supply Chain Attacks Guide | Trivy vs Grype
