BomLens is a local-first SBOM generator and open-source risk assessor. It produces a CycloneDX SBOM, an open-source notice, and a security/license risk report for a single project in seconds — from source code, containers, binaries, firmware, an SBOM you received, or a HuggingFace AI model. CLI or browser UI, no SaaS.
Where to start:
- Using the tool — generate an SBOM, an open-source notice, or a security report, or assess a binary or an SBOM you received. Start with First scan (한국어). On Windows and prefer no command line? Download BomLens for Windows (.exe) and double-click — the no-CLI quick start (한국어) walks through it.
- Contributing to the tool itself — building the image, the pipeline internals, or adding a package manager? See CONTRIBUTING and the architecture.
A Docker engine is required either way; the free Rancher Desktop works well on Windows.
One Docker image, two jobs:
- Generate — scan your source code (or a container image / binary) and produce a CycloneDX SBOM, an open-source notice, and a security report.
- Assess open-source risk — analyze what you receive, including a supplier's finished SBOM or a firmware binary, and produce an open-source risk report (licenses + known vulnerabilities, with Critical-7d / High-30d remediation deadlines).
Every scan also emits the risk report by default. Run it from a browser UI (or the desktop app), or from the CLI. Originally built by SK Telecom for supply-chain security, now open source.
Languages: Java, Python, Node.js, Ruby, PHP, Rust, Go, .NET, C/C++ (Conan/vcpkg, or --identify-vendored for sources with no package manager). Inputs: source folder, GitHub URL, ZIP archive, Docker image, binary/RootFS, existing SBOM, firmware, and a HuggingFace AI model (CycloneDX ML-BOM).
Everything runs on a Docker engine (20.10+). On Windows, free Rancher Desktop works well, or WSL2 + docker-ce (fully free); Docker Desktop also works, with licensing caveats for larger organizations. The desktop app and web UI manage the image for you — only the CLI asks you to pull it.
Download the installer and double-click it — BomLens-Setup.exe for Windows or BomLens-Setup.dmg for macOS. It checks Docker, pulls the image, and opens the UI — no console window. The app is unsigned for now: on Windows, if SmartScreen warns, click More info, then Run anyway; on macOS, right-click the app and choose Open. Build details are in electron/.
A common case is a source ZIP handed to you by a dev team. The no-CLI quick start (한국어) walks a non-developer through it click by click.
Launch, scan, and download in the browser; live logs stream as it runs.
git clone https://github.com/sktelecom/sbom-tools.git && cd sbom-tools
./scripts/scan-sbom.sh --ui # opens http://localhost:8080; results save to the current folder
# Windows: double-click scripts\sbom-ui.batEnter a project name and version, pick a scan target (current folder, GitHub URL, ZIP, SBOM, firmware upload, or Docker image), click Run scan, then view or download the results.
docker pull ghcr.io/sktelecom/bomlens:latest # aliases: sbom-generator and sbom-scanner serve the same image
./scripts/scan-sbom.sh --project MyApp --version 1.0.0 --all --generate-onlyOn Windows, run the same command through scripts\scan-sbom.bat (Git for Windows required). Other inputs — GitHub URL, source archive, Docker image, firmware — and every option are in the input-scenarios guide and the CLI reference.
Outputs ({Project}_{Version}_…): bom.json (SBOM), NOTICE.{txt,html}, risk-report.{md,html} (default), and security.{json,md,html} (Trivy).
The full docs — getting started, task guides, reference, and concepts — are a navigable site at sktelecom.github.io/sbom-tools (search, sidebar, English/Korean). The same content lives under docs/ in this repo. The site and the web UI are bilingual, English by default with Korean available.
A few entry points:
- First scan — install and your first SBOM (web UI + CLI)
- No-CLI quick start (한국어) — desktop app or
.bat, for non-developers - CLI reference — every option and environment variable
- Input scenarios — GitHub URL, ZIP, local source, existing SBOM, firmware
- Architecture — the two-stage pipeline; maintainer design notes live under docs/internal/ (Korean)
Issues and PRs welcome — see CONTRIBUTING.md (한국어) and GitHub Issues.
Apache License 2.0 · © 2026 SK Telecom Co., Ltd. Bundled third-party tools keep their own licenses — see NOTICE and THIRD_PARTY_LICENSES.md.