SBOMFlow documentation
SBOMFlow is a deterministic, offline-by-default system of record for connected-device cybersecurity release evidence. For each firmware or software release it collects composition (SBOM), vulnerability context, reviewer decisions, and an audit trail into reviewer-ready, portable evidence you own as plain files.
Important
SBOMFlow produces engineering release-readiness evidence. It does not
determine or claim legal compliance or conformity, it is not legal advice,
and it never files a regulatory report. It observes; humans review and decide.
What SBOMFlow does
- Ingests your build (lockfiles, manifests, SBOMs, container/firmware inputs) and produces a deterministic composition with SHA-256 provenance.
- Adds vulnerability context, offline by default; real advisory sources are explicit, named, opt-in lookups.
- Maps evidence to CRA-oriented requirements and reports gaps — it never decides a requirement is met.
- Records human review decisions and approvals separately from machine observation, with an append-only, hash-chained, tamper-evident audit trail.
- Exports a portable evidence bundle (JSON, HTML, and more) you can read, diff, and hand to an auditor.
What SBOMFlow does NOT do
- It does not claim your product is "compliant", "certified", or "conformant".
- It is not limited to SBOM generation — it can build SBOMs from supported local inputs and consume supplier SBOMs as observed context.
- It is not a vulnerability scanner that decides what ships.
- It does not file, transmit, sign, or submit any regulatory report.
- It does not send your source, firmware, paths, or findings anywhere by default.
Start here
Offline
Every command runs offline by default. Network-capable actions are separate,
named, and opt-in — see Security & privacy.