How I built an automated SBOM scanner to secure my supply chain 🛡️

#webdev #security #nextjs #github

Supply chain security is terrifying right now. With new vulnerabilities popping up daily and governments mandating compliance (like the EU CRA and US Executive Orders), I realized my open-source projects were completely flying blind.

I needed a Software Bill of Materials (SBOM) to track exactly what dependencies I was shipping. But every tool I found was either a massive enterprise platform or a clunky CLI tool that took forever to set up.

So, I built my own. It's called Deptic.

🏗️ The Architecture

I wanted the developer experience to be completely frictionless: you paste a GitHub URL, and it instantly spits out a compliant SBOM and highlights any critical CVEs.

Here is the tech stack I went with:

Next.js 14 (App Router): For a lightning-fast React frontend and seamless API routes.
Go (Golang): The backend scanning engine. Go's incredible concurrency allows it to parse massive dependency trees in milliseconds.
Supabase: For database management and instant authentication.
Tailwind CSS: Because writing raw CSS is pain.

🧩 The Hardest Part: Dependency Resolution

Building the UI was easy. Parsing package.json or go.mod files? Also easy.

The hardest part was recursively walking down the dependency tree to find transitive dependencies (the dependencies of your dependencies). I had to write custom parsers that could speak to the NPM registry, PyPI, and Maven Central simultaneously to map out the entire tree and cross-reference them with global CVE databases in real-time.

🚀 The Result

What started as a weekend script turned into a full platform. Deptic now supports:

Instant scanning of public GitHub repos.
Generating perfectly compliant CycloneDX (1.5) and SPDX (2.3) JSON files.
Live CVE vulnerability detection.