Start with Getting Started if you're new. Otherwise pick the section that matches what you're doing.
Task-oriented walkthroughs.
- Installation — install methods,
bomlyvsbomly-lite, checksum verification, uninstall - Getting Started — first scan, enrich, audit, diff
- Use Cases — recipes for PR gates, SBOMs, triage, license and offline scans
- Scan Targets — directories, Git repos, containers, SBOMs
- Output Formats — text, JSON, SARIF, SBOM
- SBOM Formats — SPDX vs. CycloneDX, write and ingest
- CI Integration — GitHub Actions, GitLab, Jenkins, Azure, CircleCI
- Bomly Guard — the turnkey GitHub Action for PR dependency review
- Interactive TUI — keybindings and tabs for
--interactive - Troubleshooting — common errors and fixes
How Bomly thinks about your project.
- Architecture — pipeline, runtime model, design boundaries
- Detectors — turning project evidence into a dependency graph
- Matchers — enriching the graph with vulnerability, license, lifecycle data
- Auditors — evaluating the graph against policy
- Reachability — narrowing findings to code your app actually calls
- Plugins — install, trust, configure, and package external plugins
- Plugin implementation guides: detector, matcher, auditor
- Example plugin repos: Bun detector, ClearlyDefined matcher, EOL lifecycle matcher, Meme auditor
- Glossary — every term, one sentence each
Generated from code. Treat as authoritative.
- Config Reference — every config key, env var, default, flag
- Support Matrix — every ecosystem and package manager
- Exit Codes — what each process exit value means
- Detector Ecosystem Guides — per-ecosystem detector chains
- Matcher Reference — per-matcher behavior, cache, output
- Auditor Reference — per-auditor options, examples, limitations
- JSON Schemas — scan, explain, diff output shapes
For contributors and release engineers.
- CI — Bomly's own internal CI configuration
- Release Checklist — maintainer checklist for publishing tagged releases
- Contributing — build setup, code conventions, release process