Installation

SBOMFlow is a standard-library Python CLI with zero required runtime dependencies. It requires Python 3.11 or newer.

Important

SBOMFlow has not yet had its first public package release. Install **from a
clone** today. pipx install sbomflow, PyPI, and Homebrew instructions will be
published after the first release — do not use them until then.

Install from a clone (works today)

bash
git clone https://github.com/Amzatk1/SBOMFlow.git
cd SBOMFlow
python -m pip install .
sbomflow --version

This installs the sbomflow entry point. Verify it resolves:

bash
sbomflow doctor .

Optional extras

Some optional capabilities use the cryptography package. Build-provenance verification uses the attest extra and bundle signing uses the sign extra; the baseline engine never requires either:

bash
python -m pip install ".[attest,sign]"

Offline

Installation is the only step that touches the network (to fetch the source).
Running SBOMFlow afterwards is offline by default.

Planned install channels (after first release)

The following are not yet available and will be documented when the first release ships:

  • pipx install sbomflow
  • python -m pip install sbomflow (from PyPI)
  • a Homebrew formula (a Python CLI ships as a formula, not a cask)

When a Homebrew tap is published, follow the tap's own trust guidance. Prefer installing the specific formula over trusting an entire third-party tap; do not disable Homebrew's trust checks globally.

Next

Continue to your first offline audit.