Open Source Toolkit
sbomqs
sbomasm
sbommv
bomtique
$
brew tap interlynk-io/interlynk
APACHE-2.0 · WRITTEN IN GO · CYCLONEDX & SPDX
How they fit together
Author
bomtique
Hand-author SBOMs where automated scanning falls short.
Assemble
sbomasm
Merge, edit, enrich, and sign SBOMs into one document.
Score
sbomqs
Grade quality and check compliance before you ship.
Move
sbommv
Transfer SBOMs between systems and platforms.
The tools
sbomqs
Go
Apache-2.0
★ 293
Score and validate SBOM quality.
Grades any CycloneDX or SPDX SBOM on a 0–10 quality scale and checks it against compliance standards. Lists and filters components, finds the ones missing security identifiers, and generates shareable score reports. Runs in CI and air-gapped environments.
quality 0–10
NTIA
BSI TR-03183-2
FSCT v3
OpenChain Telco
air-gapped
$
brew install sbomqs
$
sbomqs score your-sbom.json
sbomasm
Go
Apache-2.0
★ 118
Assemble, edit, and sign SBOMs.
Stitches multiple component SBOMs into one product-level document, edits metadata for compliance, strips sensitive information, enriches missing fields like licenses, and cryptographically signs and verifies the result.
assemble
edit
enrich
redact
sign & verify
CycloneDX
SPDX
$
go install github.com/interlynk-io/sbomasm@latest
$
sbomasm assemble -n app -v 1.0.0 -o final.json 1.json 2.json
sbommv
Go
Apache-2.0
★ 27
Move SBOMs between systems.
A modular, adapter-based mover that fetches SBOMs from sources, translates and validates them, enriches metadata, and pushes them to destinations. Built to plug new systems in and out without changing your pipeline.
GitHub
AWS S3
local folders
Dependency-Track
Interlynk
translate
validate
$
brew install sbommv
$
sbommv --in github --out dtrack # fetch & push
bomtique
New
Go
Apache-2.0
★ early
Hand-author SBOMs for C/C++ and embedded.
A manifest spec and reference tool for producing CycloneDX and SPDX SBOMs from deliberately curated component metadata, for the codebases where automated SCA is unreliable: C/C++, embedded, legacy, and hybrid. Deterministic, reproducible, with per-build-variant granularity and drift detection.
C/C++
embedded
deterministic
per-variant
vendored + patched
drift detection
$
brew install bomtique
$
bomtique emit # CycloneDX from your manifest
Open by default
4
Focused, composable CLI tools
Single static binaries, no runtime
Apache-2.0
Permissive license on every repo
2
Standards supported: CycloneDX & SPDX
$