Security & privacy
SBOMFlow is designed so that sensitive build information stays with you.
Offline by default
Offline
The baseline engine runs entirely offline. A default audit makes zero
network requests. This is verified by tests in the project.
By default, none of the following leaves your environment: source code, firmware, SBOMs, file or directory paths, vulnerability details, reviewer notes, or build artifacts.
Named, opt-in network actions
Network-capable actions are explicit, individually named, and documented. They are the only ways SBOMFlow contacts anything, and each requires you to enable it:
| Action | Flag / command | What is sent |
|---|---|---|
| OSV advisory lookup | --use-osv | component package URLs (purls) |
| NVD enrichment | --use-nvd (or --nvd-file offline snapshot) | CVE / CPE identifiers |
| KEV / EPSS enrichment | --use-kev / --use-epss (or file snapshots) | vulnerability identifiers |
| West import resolution | --resolve-west-imports | manifest import URLs |
| Tracker sync / notify | --apply on sync-* / notify | the issue plan you generated |
Network — opt-in
These send identifiers, never your source or firmware. Offline snapshot
files (--nvd-file, --kev-file, --epss-file) keep even enrichment offline.
Air-gapped use
SBOMFlow works fully air-gapped: run offline, use snapshot files for enrichment, and never enable a network flag. Nothing is required to phone home.
Local metrics stay local
sbomflow analyze --emit-metrics can write a local metrics.json containing aggregate counts, gate summary, phase durations, tool version, and any local release metadata supplied for that run. It records that it contains no source content, credentials, or personal contact details, but you should still inspect release metadata before sharing it. This artifact is yours — SBOMFlow does not upload it and there is no vendor telemetry.
Secrets
Credentials for opt-in integrations come from environment variables, never from command-line flags (which would leak into shell history) and never written into evidence artifacts.
No regulatory submission
SBOMFlow never files, transmits, signs, or submits a regulatory report, and never contacts a CSIRT, ENISA, or a reporting platform. CRA Article 14 outputs are always unsigned drafts for a human to complete.