CLI overview

SBOMFlow is one coherent sbomflow command tree. Everything runs offline by default. This page groups the commands by the job you are doing; run sbomflow help <command> or sbomflow <command> --help for the authoritative, generated help for any command.

Note

Help text and options come from the CLI itself (a single source of truth), so
this overview never drifts from real behavior. If a command or option is not
shown by --help, it is not available.

Get started

  • sbomflow setup — guided interactive onboarding (a real terminal only).
  • sbomflow quickstart <dir> — auto-detect, scaffold config, run an offline audit.
  • sbomflow doctor <dir> — report your environment and config facts.
  • sbomflow init <dir> — scaffold a placeholder sbomflow.yaml.
  • sbomflow validate-config <file> — check config syntax and keys.

Core evidence loop

  • sbomflow audit <dir> --output <dir> — full offline evidence pack for a release.
  • sbomflow analyze <dir> --output <dir> — the analysis stage.
  • sbomflow explain <output> --gap <id> — explain an evidence gap.
  • sbomflow explain <output> --finding <id> — explain an advisory finding.
  • sbomflow explain <output> --gate — explain the release-gate decision.
  • sbomflow review <output> — record human review decisions.
  • sbomflow approve / sbomflow store — approvals and the local evidence store.

Compare and track releases

  • sbomflow compare-releases · sbomflow index-releases · sbomflow dashboard · sbomflow portfolio.

Validate and share

  • sbomflow validate — validate a generated output directory.
  • sbomflow bundle / sbomflow sign-bundle / sbomflow verify-bundle / sbomflow auditor-pack — portable reviewer/auditor handoffs.

Integrations (dry-run by default)

  • sbomflow sync-issues (GitHub), sync-jira, sync-servicenow, sync-dependencytrack, notify.

Network — opt-in

Sync/notify commands are dry-run by default. They only contact an external
system when you pass --apply, and credentials come from environment variables,
never from evidence artifacts.

Embedded, firmware & other inputs

Specialist importers exist for CMake, Zephyr, ESP-IDF, containers/OCI, firmware extraction, update managers, SARIF, and more. Run sbomflow --help for the full list; use only the importers your build actually produces.

Discoverability

  • sbomflow --help — grouped top-level help.
  • sbomflow help [command|topic] — the same help, addressable by name.
  • sbomflow help error <code> — offline explanation of an error code.