SBOMFlow documentation

SBOMFlow is a deterministic, offline-by-default system of record for connected-device cybersecurity release evidence. For each firmware or software release it collects composition (SBOM), vulnerability context, reviewer decisions, and an audit trail into reviewer-ready, portable evidence you own as plain files.

Important

SBOMFlow produces engineering release-readiness evidence. It does not
determine or claim legal compliance or conformity, it is not legal advice,
and it never files a regulatory report. It observes; humans review and decide.

What SBOMFlow does

  • Ingests your build (lockfiles, manifests, SBOMs, container/firmware inputs) and produces a deterministic composition with SHA-256 provenance.
  • Adds vulnerability context, offline by default; real advisory sources are explicit, named, opt-in lookups.
  • Maps evidence to CRA-oriented requirements and reports gaps — it never decides a requirement is met.
  • Records human review decisions and approvals separately from machine observation, with an append-only, hash-chained, tamper-evident audit trail.
  • Exports a portable evidence bundle (JSON, HTML, and more) you can read, diff, and hand to an auditor.

What SBOMFlow does NOT do

  • It does not claim your product is "compliant", "certified", or "conformant".
  • It is not limited to SBOM generation — it can build SBOMs from supported local inputs and consume supplier SBOMs as observed context.
  • It is not a vulnerability scanner that decides what ships.
  • It does not file, transmit, sign, or submit any regulatory report.
  • It does not send your source, firmware, paths, or findings anywhere by default.

Start here

  1. Installation
  2. Your first offline audit
  3. Read an evidence bundle
  4. Core concepts

Offline

Every command runs offline by default. Network-capable actions are separate,
named, and opt-in — see Security & privacy.