sbomqs: The Comprehensive SBOM Quality & Compliance Tool

sbomqs is the industry-leading tool for evaluating SBOM quality, ensuring compliance, and managing your software supply chain security. From quality scoring to compliance validation, component analysis to vulnerability tracking - sbomqs provides everything you need to work with SBOMs effectively.

"sbomqs is listed as a relevant tool in the SBOM ecosystem" - SBOM Generation White Paper, 2025

Quick Start

# Install via Homebrew
brew tap interlynk-io/interlynk
brew install sbomqs

# Get your first quality score
sbomqs score your-sbom.json

📚 Full Getting Started Guide - Installation for all platforms and basic usage

Why sbomqs?

In today's software landscape, understanding and managing your software supply chain is critical. Whether you're in healthcare dealing with FDA requirements, automotive following NHTSA guidelines, or any regulated industry, sbomqs helps you:

• Instantly assess SBOM quality - Know if your SBOMs meet quality standards
• Ensure compliance - Validate against BSI, NTIA, FSCT, and industry standards
• Find vulnerabilities - Identify components missing security identifiers
• Automate workflows - Integrate into CI/CD pipelines with ease
• Share results - Generate shareable reports and quality scores
• Using as library - Integrating sbomqs into your software programatically

Key Features

✅ Multi-Standard Support: SPDX, CycloneDX
✅ Compliance Validation: BSI TR-03183-2 (v2.1.0, v2.0 & v1.1), FSCT v3, OpenChain Telco, NTIA
✅ Quality Scoring: 0-10 scale with detailed breakdowns
✅ Component Analysis: List, filter, and analyze SBOM components
✅ Integration Ready: Docker, CI/CD, Dependency-Track, GitHub Actions
✅ Shareable Reports: Generate public quality score links
✅ Air-Gapped Support: Works in isolated environments

Documentation

📚 Getting Started - Installation and basic usage

📖 Command Reference

• score - Calculate SBOM quality score
• compliance - Check regulatory compliance
• list - List and filter components
• share - Generate shareable reports
• dtrackScore - Dependency-Track integration
• generate - Generate configuration files
• version - Version information

🎯 Guides

• Customization - Create custom scoring profiles
• Integrations - CI/CD and tool integrations
• Policy - Policy enforcement and validation

📋 Reference

• Quality Checks - All scoring criteria explained
• Compliance Standards - BSI, NTIA, FSCT mappings

Basic Examples

Check SBOM Quality

# Get a quality score (0-10)
sbomqs score -b my-app.spdx.json

# See detailed breakdown
sbomqs score my-app.spdx.json

# Check specific category
sbomqs score my-app.spdx.json --category integrity

# check specific profile 
sbomqs score my-app.spdx.json --category NTIA-minimum-elements --profile ntia

Verify Compliance

# BSI TR-03183-2 v2.0
sbomqs compliance --bsi-v2 my-app.spdx.json

# FSCT v3
sbomqs compliance --fsct my-app.spdx.json

# OpenChain Telco
sbomqs compliance --oct my-app.spdx.json

Find Missing Data

# Components without versions
sbomqs list my-app.spdx.json --feature comp_with_version --missing

# Components without suppliers
sbomqs list my-app.spdx.json --feature comp_with_supplier --missing

Share Results

# Generate shareable link (doesn't upload SBOM content)
sbomqs share my-app.spdx.json

Integrating sbomqs into your software

package main

import (
   "context"
   "fmt"

   "github.com/interlynk-io/sbomqs/v2/pkg/scorer/v2/config"
   "github.com/interlynk-io/sbomqs/v2/pkg/scorer/v2/score"
)

func main() {
   cfg := config.Config{}
   // make sure current dir has sbom file: `sbom.cdx.json`
   paths := []string{"sbom.cdx.json"}

   results, err := score.ScoreSBOM(context.Background(), cfg, paths)
   if err != nil {
      log.Fatalf("scoring failed: %v", err)
   }

   for _, r := range results {
      // Comprehensive result is the default evaluation
      if r.Comprehensive != nil {
         fmt.Printf("Interlynk score: %.2f  Grade: %s\n", r.Comprehensive.InterlynkScore, r.Comprehensive.Grade)
      }
   }

For more examples, refer here: https://github.com/interlynk-io/sbomqs/blob/main/docs/guides/integrations.md

Industry Use Cases

• Healthcare & Medical Devices: Meet FDA SBOM requirements for medical device submissions
• Automotive: Comply with NHTSA cybersecurity guidelines for vehicle software
• Financial Services: Support DORA and PCI DSS software transparency requirements
• Telecommunications: Ensure critical infrastructure security with OpenChain Telco
• Enterprise Software: Manage supply chain risk with comprehensive quality metrics

SBOM Platform - Free Community Tier

Our SBOM Automation Platform has a free community tier that provides a comprehensive solution to manage SBOMs (Software Bill of Materials) effortlessly. From centralized SBOM storage, built-in SBOM editor, vulnerability mapping and assessment, all while ensuring compliance and enhancing software supply chain security using integrated SBOM quality scores. The community tier is ideal for small teams. Learn more here or Sign up

SBOM Card

Contributions

We welcome contributions! Here's how to get started:

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -sam 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

Please ensure:

• All commits are signed
• Tests pass (make test)
• Code follows our style guide (make lint)

📖 Contributing Guidelines

Community Recognition

sbomqs has gained significant adoption across the industry for SBOM quality assessment and compliance validation:

📚 Academic Research & Publications

Peer-Reviewed Papers Using sbomqs

1. Soeiro, L., Robert, T., & Zacchiroli, S. (2025)
   Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code
   22nd IEEE/ACM International Conference on Mining Software Repositories (MSR 2025)
   DOI: arXiv:2503.15021
   Usage: Uses sbomqs to compute quality scores for over 78,000 SBOMs in their large-scale dataset from 94 million GitHub repositories.
2. Novikov, O., Fucci, D., Adamov, O., & Mendez, D. (2025) POLICY-DRIVEN SOFTWARE BILL OF MATERIALS ON GITHUB: AN EMPIRICAL STUDY arXiv preprint DOI: arXiv:2509.01255 Usage: Uses sbomqs to assess the quality of 620 policy-driven SBOMs found on GitHub, calculating a quality score based on structural and semantic completeness.

White Papers & Technical Documents

2. SBOM Generation White Paper (2025)
   SBOM Community, February 2025
   Citation: Lists sbomqs as a "relevant tool in the SBOM ecosystem" and highlights it as demonstrating best practices in SBOM quality assessment.

3. OpenChain Telco SBOM Guide v1.1 (2025)
   OpenChain Project
   URL: OpenChain Project
   Usage: References sbomqs as a recommended tool for telecommunications operators managing complex software supply chains, particularly for its ability to validate SBOMs across multiple formats.

Major Platforms & Companies

1. Harness Software Supply Chain Assurance (SSCA)

• Company: Harness Inc.
• Usage: Uses sbomqs as the engine powering their SBOM quality scoring feature
• Features: Provides quality scores from 1-10 for generated SBOMs with SBOM drift detection capabilities
• Reference: Harness Developer Hub
• Blog Post: Level Up your Zero-day Vulnerability Remediation and SBOM Quality (May 2025)

2. sbom.sh

• Platform: sbom.sh
• Usage: Uses the sbomqs engine to evaluate and score uploaded SBOMs
• Features: Automatically generates a quality score (1–10) based on metadata completeness, component coverag