Open Source Toolkit

Open-source tools for the whole SBOM lifecycle.

Open-source tools for the whole SBOM lifecycle.

Open-source tools for the whole SBOM lifecycle.

Interlynk builds and maintains the command-line tools teams use to author, assemble, score, and move SBOMs. Apache-2.0, written in Go, and used across the software supply chain community.

Interlynk builds and maintains the command-line tools teams use to author, assemble, score, and move SBOMs. Apache-2.0, written in Go, and used across the software supply chain community.

Interlynk builds and maintains the command-line tools teams use to author, assemble, score, and move SBOMs. Apache-2.0, written in Go, and used across the software supply chain community.

sbomqs

sbomasm

sbommv

bomtique

$

brew tap interlynk-io/interlynk

Browse the tools

Star us on GitHub

APACHE-2.0 · WRITTEN IN GO · CYCLONEDX & SPDX

How they fit together

One tool for each step of working with an SBOM.

One tool for each step of working with an SBOM.

One tool for each step of working with an SBOM.

The four tools are independent and composable. Use one, or chain them across your pipeline from authoring through delivery.

The four tools are independent and composable. Use one, or chain them across your pipeline from authoring through delivery.

Author

bomtique

Hand-author SBOMs where automated scanning falls short.

Assemble

sbomasm

Merge, edit, enrich, and sign SBOMs into one document.

Score

sbomqs

Grade quality and check compliance before you ship.

Move

sbommv

Transfer SBOMs between systems and platforms.

The tools

Four focused tools, no lock-in.

Four focused tools, no lock-in.

Four focused tools, no lock-in.

Each does one job well and works standalone. Install what you need from Homebrew or go install.

Each does one job well and works standalone. Install what you need from Homebrew or go install.

sbomqs

Go

Apache-2.0

★ 293

Score and validate SBOM quality.

Grades any CycloneDX or SPDX SBOM on a 0–10 quality scale and checks it against compliance standards. Lists and filters components, finds the ones missing security identifiers, and generates shareable score reports. Runs in CI and air-gapped environments.

quality 0–10

NTIA

BSI TR-03183-2

FSCT v3

OpenChain Telco

air-gapped

$

brew install sbomqs

$

sbomqs score your-sbom.json

GitHub ↗ Docs ↗

sbomasm

Go

Apache-2.0

★ 118

Assemble, edit, and sign SBOMs.

Stitches multiple component SBOMs into one product-level document, edits metadata for compliance, strips sensitive information, enriches missing fields like licenses, and cryptographically signs and verifies the result.

assemble

edit

enrich

redact

sign & verify

CycloneDX

SPDX

$

go install github.com/interlynk-io/sbomasm@latest

$

sbomasm assemble -n app -v 1.0.0 -o final.json 1.json 2.json

GitHub ↗ Docs ↗

sbommv

Go

Apache-2.0

★ 27

Move SBOMs between systems.

A modular, adapter-based mover that fetches SBOMs from sources, translates and validates them, enriches metadata, and pushes them to destinations. Built to plug new systems in and out without changing your pipeline.

GitHub

AWS S3

local folders

Dependency-Track

Interlynk

translate

validate

$

brew install sbommv

$

sbommv --in github --out dtrack # fetch & push

GitHub ↗ Docs ↗

bomtique

New

Go

Apache-2.0

★ early

Hand-author SBOMs for C/C++ and embedded.

A manifest spec and reference tool for producing CycloneDX and SPDX SBOMs from deliberately curated component metadata, for the codebases where automated SCA is unreliable: C/C++, embedded, legacy, and hybrid. Deterministic, reproducible, with per-build-variant granularity and drift detection.

C/C++

embedded

deterministic

per-variant

vendored + patched

drift detection

$

brew install bomtique

$

bomtique emit # CycloneDX from your manifest

GitHub ↗ Docs ↗

Open by default

Built in the open, used across the community.

Built in the open, used across the community.

Built in the open, used across the community.

Every tool is Apache-2.0 licensed and installs from the same Homebrew tap. sbomqs is referenced in the SBOM-Community SBOM Generation white paper.

Every tool is Apache-2.0 licensed and installs from the same Homebrew tap. sbomqs is referenced in the SBOM-Community SBOM Generation white paper.

4

Focused, composable CLI tools

Single static binaries, no runtime

Apache-2.0

Permissive license on every repo

2

Standards supported: CycloneDX & SPDX

$

brew tap interlynk-io/interlynk && brew install sbomqs sbomasm sbommv bomtique

brew tap interlynk-io/interlynk && brew install sbomqs sbomasm sbommv bomtique

Open-source CLI tools, managed-platform workflows when you need them.

The same SBOM engineering, managed for you.

The toolkit is free and open source. When you need continuous monitoring, policy, and compliance across a portfolio, the Interlynk platform builds on the same foundations.

Open-source CLI tools, managed-platform workflows when you need them.

Interlynk automates SBOMs, manages open source risks, monitors suppliers, and prepares you for the post-quantum era, all in one trusted platform.

See your SBOM Done Right

Open-source CLI tools, managed-platform workflows when you need them.

Interlynk automates SBOMs, manages open source risks, monitors suppliers, and prepares you for the post-quantum era, all in one trusted platform.

See your SBOM Done Right

Solutions

SBOM Automation

Open Source Management

Supplier Monitoring

Post Quantum Readiness

Cyber Resilience Act

Embedded SBOM Generator

Resources

Blogs

Open Source Toolset

News

Compare to Dependency Track

Company

About Us

Privacy Policy

Docs

Interlynk
© 2026 Interlynk Inc. All rights reserved

Solutions

SBOM Automation

Open Source Management

Supplier Monitoring

Post Quantum Readiness

Cyber Resilience Act

Embedded SBOM Generator

Resources

Blogs

Open Source Toolset

News

Compare to Dependency Track

Company

About Us

Privacy Policy

Docs

Interlynk
© 2026 Interlynk Inc. All rights reserved

Solutions

SBOM Automation

Open Source Management

Supplier Monitoring

Post Quantum Readiness

Cyber Resilience Act

Embedded SBOM Generator

Resources

Blogs

Open Source Toolset

News

Compare to Dependency Track

Company

About Us

Privacy Policy

Docs

Interlynk
© 2026 Interlynk Inc. All rights reserved