Your first offline audit
This walks through producing an evidence bundle from a product directory, fully offline.
Fastest path: quickstart
quickstart auto-detects your project, scaffolds a minimal sbomflow.yaml with placeholders, runs an offline audit, and prints next steps:
sbomflow quickstart .Or use the guided, interactive setup (a real terminal only — see Interactive setup):
sbomflow setupRun a full audit
sbomflow audit ./my-product \
--output ./evidence \
--product-name "My Gateway" \
--product-version "1.0.0" \
--product-class defaultImportant
--product-class records the manufacturer's declaration. SBOMFlow does not
classify your product; it records the class you declare (default,important-class-i, important-class-ii, or critical).
This writes a directory of provenance-bearing artifacts, including evidence-pack.json, cyclonedx-sbom.json, spdx-sbom.json, cra-coverage.json, issues.json, release-gate.json, and a portable evidence-bundle.*. Add --as-of <ISO-8601> when you need byte-reproducible release artifacts from pinned inputs and run context. See Read an evidence bundle.
Offline vs. opt-in enrichment
Offline
By default the audit uses a clearly-labelled, non-real sample vulnerability
feed (identifiers begin with CVE-SAMPLE-). No data leaves your machine.
Network — opt-in
To match real advisories, enable a named lookup explicitly, e.g. --use-osv
(OSV), --use-nvd, --use-kev, --use-epss. These send component identifiers
(package URLs) to the named service — never your source or firmware. Real
firmware/OS-layer CVEs require a distro-tagged SBOM (pkg:deb / pkg:apk).
Exit codes
The audit uses stable exit codes. A 0 means the run completed or a gate was informational; a 1 means an enforced release gate blocked the run. Common input mistakes return 2 with a stable error code and a fix.