I got tired of generating SBOMs and then having nowhere useful to put them. So I built SBOMHub - an open-source dashboard for managing SBOMs and tracking vulnerabilities across multiple projects.
The Problem
Tools like Syft, Trivy, and cdxgen make generating SBOMs easy. But then what?
- Where do you store SBOMs for 20+ projects?
- When a new CVE drops (like Log4j), can you quickly find which projects are affected?
- How do you prioritize which vulnerabilities to fix first?
- How do you prove to auditors that you're tracking vulnerabilities?
I needed a central place to answer these questions.
What SBOMHub Does
Core features:
- Import SBOMs from any generator (CycloneDX/SPDX JSON)
- Track vulnerabilities with NVD matching
- Cross-project CVE search - "Show me every project using lodash < 4.17.21"
- EPSS scoring - Prioritize by actual exploit probability, not just CVSS
- VEX support - Mark false positives with justification
- CLI for CI/CD - Fail builds on critical vulnerabilities
Quick Start
curl -fsSL https://raw.githubusercontent.com/youichi-uda/sbomhub/main/docker-compose.yml -o docker-compose.yml
docker compose up -d
# Open http://localhost:3000
That's it. PostgreSQL and Redis are included.
CLI Usage
# Install
go install github.com/youichi-uda/sbomhub-cli/cmd/sbomhub@latest
# Scan and upload (auto-detects Syft/Trivy/cdxgen)
sbomhub scan . --project my-app
# Fail CI on critical vulnerabilities
sbomhub scan . --project my-app --fail-on critical
GitHub Actions Integration
name: SBOM Check
on:
push:
branches: [main]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install CLI
run: curl -fsSL https://sbomhub.app/install.sh | sh
- name: Scan and Upload
run: sbomhub scan . --project ${{ github.repository }} --fail-on critical
env:
SBOMHUB_API_KEY: ${{ secrets.SBOMHUB_API_KEY }}
Tech Stack
| Layer | Tech |
|---|---|
| Backend | Go 1.22+ (Echo) |
| Frontend | Next.js 16 + React 19 |
| UI | shadcn/ui + Tailwind |
| Database | PostgreSQL 15+ |
| Cache | Redis 7+ |
| License | AGPL-3.0 |
Why Not Dependency-Track?
Fair question. Dependency-Track is more mature and battle-tested.
I built SBOMHub because:
- DT dropped SPDX support in v4
- I needed a CLI for CI/CD integration
- I wanted cross-project CVE search
- I needed SBOM diff between versions
If DT works for you, stick with it. SBOMHub is for people who need these specific features.
SaaS Option
Don't want to self-host? Try the cloud version: https://sbomhub.app
| Plan | Price | Projects |
|---|---|---|
| Free | $0 | 2 |
| Starter | ~$17/mo | 5 |
| Pro | ~$55/mo | Unlimited |
Self-hosted is completely free (AGPL-3.0).
What's Next
- [ ] LDAP/OIDC authentication
- [ ] More vulnerability sources
- [ ] AI-powered priority suggestions
Links
- GitHub: https://github.com/youichi-uda/sbomhub
- CLI: https://github.com/youichi-uda/sbomhub-cli
- SaaS: https://sbomhub.app
Would love feedback! What features would make this useful for your workflow?
Top comments (0)