One script. Every OS. Generates SBOM, CBOM & HBOM in CycloneDX or SPDX — with auto-installed dependencies, vulnerability scanning, and hardware inventory.
Run them individually or all at once. Each captures a different layer of your system.
Scans a directory with Syft to catalog every package and dependency. Vulnerability-scanned immediately via Grype.
Discovers TLS certs, private keys, JWKs, GPG keyrings, Java keystores, and source-level crypto references (AES, RSA, ECDSA, SHA-256, Ed25519). IBM Analyzer ready.
Inventories CPU, RAM slots, disks, GPUs, NICs with MACs, firmware/BIOS version, and USB peripherals using native OS APIs on each platform.
Pass the format as the third argument. All three BOM types support all four formats.
| Flag | Format | Extension | Notes |
|---|---|---|---|
| cyclonedx-json | CycloneDX 1.5 JSON default | .cdx.json | IBM CBOM Analyzer, Dependency-Track, all modern tooling |
| cyclonedx-xml | CycloneDX 1.5 XML | .cdx.xml | Legacy enterprise tools and XML-native pipelines |
| spdx-json | SPDX 2.3 JSON | .spdx.json | Government & DoD compliance. Includes package purpose field |
| spdx-tag | SPDX 2.3 Tag-Value | .spdx.tv | Human-readable, diffable, great for source control |
Six stages, zero manual configuration. Everything from tool installation to format conversion is handled automatically.
Detects macOS, Linux, or Windows (Git Bash / WSL) via uname -s. Selects Homebrew, apt, dnf, pacman, or winget automatically. Apple Silicon brew paths handled.
Installs syft, grype, and python3 if missing. All Python packages (cyclonedx-python-lib) go into an isolated venv at /tmp/bom_venv_$$ — your system Python is never touched. The venv and all temp files are automatically cleaned up on exit via a trap cleanup EXIT.
Runs syft dir:TARGET -o FORMAT — Syft handles all four output formats natively. The SBOM is immediately passed into grype sbom:FILE -o json for a matching CVE vulnerability report.
Collects installed packages and filters for crypto libraries (openssl, libssl, bcrypt, gnupg, libsodium …). Simultaneously scans target for *.pem, *.key, *.jwk, *.gpg, *.jks, id_rsa, id_ed25519, and source files referencing AES, RSA, ECDSA, SHA-256, SHA-512, Ed25519. Output is CycloneDX 1.5 JSON, then converted to your chosen format.
Uses OS-native APIs: system_profiler on macOS, /proc + lsblk + lspci + dmidecode on Linux/WSL, wmic on Windows. Serialised as CycloneDX DEVICE and FIRMWARE components.
CBOM and HBOM always write .cdx.json first, then the built-in Python converter produces CycloneDX XML, SPDX JSON, or SPDX tag-value. Every run lands in a new bom_output_YYYYMMDD-HHMMSS/ folder — nothing is overwritten.
Signature: generate_bom.sh [TARGET_DIR] [MODE] [FORMAT] — all args optional, defaults to . all cyclonedx-json
This entire script was built through a conversation with Claude. Below is the prompt that produced it — paste it into Claude and you'll get the same result.
Write a single unified bash script called generate_bom.sh that generates three types of Bill of Materials — SBOM, CBOM, and HBOM — and works without modification on macOS, Linux (Debian/Ubuntu/RHEL/Arch), and Windows via Git Bash or WSL.
The script should accept three optional arguments: [TARGET_DIR] (default: current directory), [MODE] (sbom | cbom | hbom | all, default: all), and [FORMAT] (cyclonedx-json | cyclonedx-xml | spdx-json | spdx-tag, default: cyclonedx-json).
Core requirements:
/tmp/bom_venv_$$ so the system Python is never touchedtrap cleanup EXIT to remove the venv and all temp files automatically on exitbom_output_YYYYMMDD-HHMMSS/ inside the target directory — never overwrite previous runsSBOM: Use Syft to scan the target directory. Pass the output format flag directly to Syft (it handles all four formats natively). Then run Grype against the SBOM to produce a separate vulnerabilities JSON report.
CBOM (Cryptography BOM): Collect installed packages via the native package manager and filter for crypto-relevant ones (openssl, libssl, bcrypt, gnupg, libsodium, etc.). Also scan the target directory for cryptographic file assets: *.pem, *.crt, *.key, *.pub, *.jwk, *.gpg, *.jks, id_rsa, id_ed25519, and source files referencing AES, RSA, ECDSA, SHA-256, SHA-512, Ed25519. Output must be CycloneDX 1.5 JSON compatible with the IBM CBOM Analyzer at zurich.ibm.com/cbom. Use cyclonedx-python-lib inside the venv to build and serialise the BOM.
HBOM (Hardware BOM): Collect hardware inventory using OS-native APIs — system_profiler on macOS, /proc/cpuinfo + lsblk + lspci + dmidecode on Linux/WSL, and wmic on Windows. Capture CPU model/cores/threads, RAM slots, disk drives, GPUs, NICs with MAC addresses, firmware/BIOS version, and USB peripherals. Serialise as CycloneDX DEVICE and FIRMWARE component types.
Format conversion: SBOM uses Syft's native format support. CBOM and HBOM always generate CycloneDX JSON first, then a built-in Python converter produces CycloneDX XML, SPDX 2.3 JSON (with primaryPackagePurpose), or SPDX 2.3 tag-value as requested.
Use colour-coded terminal output ([•] info, [✔] success, [!] warn, [✘] error) and print a summary table of generated files with sizes at the end.
You can also extend it — ask Claude to add Docker image scanning, container SBOM support, CI/CD integration, or automatic upload to Dependency-Track.
Drop any BOM file generated by this script — or any compatible CycloneDX / SPDX file. Parsed entirely in your browser. Nothing is uploaded.
Drop a BOM file here or click to browse
cdx.json · cdx.xml · spdx.json · spdx.tv · spdx tag-value
| # | Name | Version | Type | License |
|---|