BomLens is a local-first SBOM generator and open-source risk assessor. It produces a CycloneDX SBOM, an open-source notice, and a security/license risk report for a single project in seconds — from source code, containers, binaries, firmware, or an SBOM you received. CLI or browser UI, no SaaS.
Where to start:
- Using the tool — generate an SBOM, an open-source notice, or a security report, or assess a binary or an SBOM you received. Start with Getting started (한국어). On Windows and prefer no command line? Download BomLens for Windows (.exe) and double-click — the no-CLI quick start (Korean) walks through it.
- Contributing to the tool itself — building the image, the pipeline internals, or adding a package manager? See CONTRIBUTING and the architecture.
A Docker engine is required either way; the free Rancher Desktop works well on Windows.
One Docker image, two jobs:
- Generate — scan your source code (or a container image / binary) and produce a CycloneDX SBOM, an open-source notice, and a security report.
- Assess open-source risk — analyze what you receive, including a supplier's finished SBOM or a firmware binary, and produce an open-source risk report (licenses + known vulnerabilities, with Critical-7d / High-30d remediation deadlines).
Every scan also emits the risk report by default. Run it from the CLI or a browser UI. Originally built by SK Telecom for supply-chain security, now open source.
Languages: Java, Python, Node.js, Ruby, PHP, Rust, Go, .NET, C/C++ (Conan/vcpkg). Inputs: source folder, GitHub URL, ZIP archive, Docker image, binary/RootFS, existing SBOM, firmware.
Prerequisite: a Docker engine, 20.10+. Free options that work on Windows: Rancher Desktop (GUI; supports the .bat double-click flow) or WSL2 + docker-ce (run the tool from inside WSL — fully free, no Windows named-pipe needed). Docker Desktop also works but requires a paid license for larger organizations. The Web UI needs nothing else; the Windows CLI wrapper additionally needs Git for Windows (Git Bash).
git clone https://github.com/sktelecom/sbom-tools.git && cd sbom-tools
docker pull ghcr.io/sktelecom/bomlens:latest # aliases: sbom-generator and sbom-scanner serve the same imageNo git installed? Download the repo as a ZIP from the GitHub page (the green Code button, then Download ZIP) and unzip it.
Launch, scan, and download — all in the browser. Live logs stream as it runs.
cd ~/sbom-output # any folder — this is where results are saved
/path/to/sbom-tools/scripts/scan-sbom.sh --ui # opens http://localhost:8080
# Windows: double-click scripts\sbom-ui.batEnter the project name and version, pick a scan target (current folder, GitHub URL, ZIP, SBOM, firmware upload, or Docker image), click Run scan, then view or download the results.
A common case: a dev team handed you a source archive and you need its SBOM. The no-CLI quick start walks through this step by step in Korean for non-developers; the short version is below.
- Install and start a Docker engine. Rancher Desktop is a free, drop-in choice for this double-click flow; Docker Desktop also works (with licensing caveats for organizations).
- Get this repo: on the GitHub page use the green Code button, then Download ZIP, and unzip it.
- Pick a folder for the results under your home directory, such as
C:\Users\you\sbom-output. It must sit inside a path your Docker engine is allowed to share (file sharing);C:\Usersis shared by default in both Rancher Desktop and Docker Desktop. - Double-click
scripts\sbom-ui.bat. A browser opens at http://localhost:8080. - Enter a project name and version, choose ZIP upload as the scan target, upload the source ZIP you received, run the scan, then download the SBOM, the notice, and the risk report.
The getting-started guide covers this in more detail and shows the CLI path.
Prefer a real app over a .bat? A desktop app wraps this same flow with no console window — it checks Docker, pulls the image, and opens the UI on double-click. Download SBOM-Generator-*.exe (or .dmg) from the latest release. It is unsigned for now, so if Windows SmartScreen warns, click More info and then Run anyway. Build details are in electron/.
# All deliverables for the current project
./scripts/scan-sbom.sh --project MyApp --version 1.0.0 --all --generate-only
# Other inputs: GitHub URL · source archive · Docker image · firmware
./scripts/scan-sbom.sh --git https://github.com/org/repo --project MyApp --version 1.0.0 --all --generate-only
./scripts/scan-sbom.sh --target ./src.zip --project MyApp --version 1.0.0 --all --generate-only
./scripts/scan-sbom.sh --target nginx:latest --project MyApp --version 1.0.0 --all --generate-only
./scripts/scan-sbom.sh --target dev.bin --firmware --project MyApp --version 1.0.0 --all --generate-onlyOn Windows, run the same commands through scripts\scan-sbom.bat, which forwards them to the script via Git Bash (Git for Windows required).
Outputs ({Project}_{Version}_…): bom.json (SBOM), NOTICE.{txt,html}, risk-report.{md,html} (default), and security.{json,md,html} (Trivy). Each input form is covered in the scenarios guide.
Read the docs as a navigable site at sktelecom.github.io/sbom-tools (search, sidebar, English/Korean). The same content lives under docs/ in this repo.
The web UI itself is bilingual (English and Korean, English by default). The core docs are available in English; the most detailed and complete guides — including the non-developer quick start — are in Korean.
| Doc | What |
|---|---|
| Getting started | Install and your first SBOM (web UI + CLI) |
| Usage guide | Every option, analysis modes, CI/CD |
| Input scenarios | GitHub URL, ZIP, local C/C++, existing SBOM, firmware |
Building or extending the tool? Start with the architecture; design notes live under docs/internal/ (Korean).
| 문서 | 설명 |
|---|---|
| 비개발자 빠른 시작 | 명령줄 없이 데스크톱 앱과 웹 UI로 SBOM과 고지문 만들기 |
| 시작하기 | 설치와 첫 SBOM (웹 UI 포함) |
| 시나리오 가이드 | 입력 형태별(GitHub, ZIP, 로컬, SBOM, 펌웨어) 처리 |
| 고지문·보안 보고서 | 산출물 생성·해석과 웹 UI 사용법 |
| 사용 가이드 | 전체 옵션, 분석 모드, CI/CD |
| 예제 가이드 | 언어별 예제 프로젝트 실습 |
내부 구조(아키텍처)와 설계 배경, 메인테이너용 조사 문서는 docs/internal/에 있습니다. Docker 이미지의 가치(cdxgen 대비 측정)는 방향성 조사 보고서, Windows 데스크톱 앱 도입 검토는 데스크톱 앱 검토 보고서를 참고하세요. 전체 문서 목록은 docs/에 있습니다.
Issues and PRs welcome — see CONTRIBUTING.md (한국어) and GitHub Issues.
Apache License 2.0 · © 2026 SK Telecom Co., Ltd. Bundled third-party tools keep their own licenses — see NOTICE and THIRD_PARTY_LICENSES.md.