Security & privacy

SBOMFlow is designed so that sensitive build information stays with you.

Offline by default

Offline

The baseline engine runs entirely offline. A default audit makes zero
network requests. This is verified by tests in the project.

By default, none of the following leaves your environment: source code, firmware, SBOMs, file or directory paths, vulnerability details, reviewer notes, or build artifacts.

Named, opt-in network actions

Network-capable actions are explicit, individually named, and documented. They are the only ways SBOMFlow contacts anything, and each requires you to enable it:

ActionFlag / commandWhat is sent
OSV advisory lookup--use-osvcomponent package URLs (purls)
NVD enrichment--use-nvd (or --nvd-file offline snapshot)CVE / CPE identifiers
KEV / EPSS enrichment--use-kev / --use-epss (or file snapshots)vulnerability identifiers
West import resolution--resolve-west-importsmanifest import URLs
Tracker sync / notify--apply on sync-* / notifythe issue plan you generated

Network — opt-in

These send identifiers, never your source or firmware. Offline snapshot
files (--nvd-file, --kev-file, --epss-file) keep even enrichment offline.

Air-gapped use

SBOMFlow works fully air-gapped: run offline, use snapshot files for enrichment, and never enable a network flag. Nothing is required to phone home.

Local metrics stay local

sbomflow analyze --emit-metrics can write a local metrics.json containing aggregate counts, gate summary, phase durations, tool version, and any local release metadata supplied for that run. It records that it contains no source content, credentials, or personal contact details, but you should still inspect release metadata before sharing it. This artifact is yours — SBOMFlow does not upload it and there is no vendor telemetry.

Secrets

Credentials for opt-in integrations come from environment variables, never from command-line flags (which would leak into shell history) and never written into evidence artifacts.

No regulatory submission

SBOMFlow never files, transmits, signs, or submits a regulatory report, and never contacts a CSIRT, ENISA, or a reporting platform. CRA Article 14 outputs are always unsigned drafts for a human to complete.