Open-source dependencies accelerate development but create security blind spots, with popular languages like Javascript and Python supporting over a million packages combined. We can move faster from idea to product without reinventing the wheel at every step.
However, each external dependency introduces potential risks. Security vulnerabilities hide in third-party components. Managing multiple dependencies makes tracking versions and usage increasingly complex.
Creating a software bill of materials (SBOM) is a practice that solves this issue. An SBOM lists all the parts that make up your software, including package names and versions. Having a central source of truth for your dependencies means that you and your customers can quickly and efficiently check for potential vulnerabilities and license issues.
Ready to learn more? This article will start with a quick refresher on SBOMs and then list the top SBOM-generation tools available.
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.
What is an SBOM?
An SBOM is a machine and human-readable list of all your software inventory. Essentially, an SBOM keeps track of all third-party dependencies that you use when building your applications. It provides key facts including the names, version numbers, release dates, checksums, license and information for every component in your application.
Why do you need an SBOM?
SBOMs give engineering teams a complete, up-to-date inventory of third-party components—names, versions, and licenses—so you can assess the impact of code or license changes and quickly surface security issues, from pre-release Common Weakness Enumerations (CWE) to post-release Common Vulnerabilities and Exposures (CVE).
On the operations side, SBOMs enable effective asset management. They enumerate the software and licenses in use – helpful for enforcing policies such as avoiding GPL – and help you quickly identify supply chain risks introduced bydependencies.
SBOMs are also a compliance requirement. The Executive Order on Improving the Nation's Cybersecurity requires U.S.government contractors to provide SBOMs for applicable software, making SBOMs mandatory for vendors working with the federal government.
The State of Code Security Report [2025]
A Software Bill of Materials (SBOM) strengthens security, but many supply chains remain vulnerable due to repository misconfigurations. The State of Code Security Report 2025 found that malicious NPM and PyPI packages continue to pose serious risks.
Download report
How do SBOM tools work?
SBOM tools automatically discover and catalog all software components in your applications. Many software composition analysis (SCA) tools include SBOM generators that scan your codebase and create comprehensive inventories.
Manifest scanning checks manifest files (e.g., package.json or Cargo.toml) for the dependencies listed.
Binary scanning checks compiled binaries for any third-party code it can trace back to a specific library.
Hybrid scanning methods use a mix of manifest and binary scanning to ensure no dependency slips through.
As previously mentioned, SBOMs come in diverse formats that are both machine and human-readable. This diversity allows you to analyze them automatically and quickly check manually to see if you use a specific library.
Popular SBOM formats are:
SPDX by the Linux Foundation, which has a focus on software licenses.
CycloneDX by OWASP, which focuses on security vulnerabilities.
SWID by NIST, which does not have one particular emphasis.
Wiz’s agentless SBOM allows you to gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots and deploying an agent.
What to look for in SBOM tools
When picking an SBOM tool, there are a few things to keep in mind:
Supported formats: Make sure the tool can generate SBOMs in formats like SPDX or CycloneDX, so you can use them with other tools or for compliance.
Language and environment support: Some tools are general-purpose, while others are built for specific languages or ecosystems. Choose one that fits your stack.
Integration: Look for tools that can plug into your CI/CD pipeline or build process, so SBOMs are always up to date.
Depth of analysis: Good SBOM tools can scan both manifest files and binaries, catching dependencies that might not be listed in your package files.
Automation: The best tools help automate SBOM generation, so you don't have to remember to run them manually.
Community and maintenance: Open-source tools with active communities are more likely to stay updated and support new languages or formats.
Think about your workflow and what will make SBOM management easiest for your team. If you need to cover multiple languages or want to avoid installing agents, look for tools that are flexible and easy to set up.
Open-source SBOM tools
Now that we have explored what SBOMs are, how they’re used, and how they work, let’s look at the available open-source tools that generate SBOMs.
General tools:
Language-specific tools:
General SBOM tools
First, let’s take a look at the tools that aren’t limited to a specific programming language, listed without order:
1. Syft
Syft is an open-source CLI tool that generates SBOMs from container images and filesystems. It supports container formats such as OCI, Docker, and Singularity, and can detect the Linux distribution used. Syft supports SPDX, CycloneDX, and its own format.
2. The SBOM tool
The SBOM tool is an open-source generator from Microsoft, designed to scale across large projects and support multiple package managers. It uses Microsoft’s own component detection library, which supports various package managers like NuGet, Go, npm, pip, and Cargo. The SBOM tool generates SBOMs in the SPDX format at build time.
3. Tern
Tern is an SCA tool that can create SBOMs from container images and Dockerfiles. It focuses on collecting license information, and then Tern lists which image introduced each dependency, layer by layer. Tern supports multiple output formats, including SPDX, CycloneDX, and formats such as HTML or YAML.
4. CycloneDX Generator
The CycloneDX Generator (cdxgen) Generator (cdxgen) is OWASP’s official SBOM tool. It supports many programming languages, including C/C++, JavaScript, Java, Python, and Haskell. It comes with a CLI that can scan locally or as part of a CI/CD pipeline and an API server that exposes a /bom endpoint to check the SBOM on demand. As its name implies, the output format is CycloneDX.
5. SPDX SBOM Generator
The SPDX SBOM Generator is a multi-language tool that supports multiple package managers like pip, Cargo, npm, Go, Composer, RubyGems, and many more. This is a great fit if you’re looking for a CLI tool that outputs SPDX files.
6. DISTRO2SBOM
DISTRO2SBOM is an SBOM generator that checks your Linux installation for installed packages. It can automatically detect which Linux distribution you use, and it exports SPDX and CycloneDX files.
See the Wiz CLI in action - SBOMs and more
Generate SBOMs, secure every commit, block risky builds, and validate container images with Wiz CLI
See CLI
Language-specific SBOM tools
Next, we’ll check out popular SBOM tools that specialize in a specific programming language:
7. Retire.js
Retire.js is a JavaScript security vulnerability scanner that can also generate SBOMs. You can use it locally as a CLI (as part of your CI/CD pipeline), but it also offers a Chrome extension that lets you scan websites while browsing them. It generates SBOMs in the CycloneDX format.
8. bom
bom is part of the Kubernetes (k8s) project and lets you generate SBOMs for your Go dependencies in k8s cluster definitions. bom generates SPDX files and can identify over 400 licenses.
9. Jake
A CLI tool that checks Python environments for vulnerabilities and generates SBOMs in the CycloneDX format, Jake uses the Sonatype server (both the commercial and the open-source version).
10. rebar3_sbom
As an SBOM generator for Erlang, this solution uses Erlang’s build tool (Rebar) to generate SBOMs in the CycloneDX format.
11. sbom-rs
sbom-rs is a collection of SBOM tools for the Rust programming language. It supports the SPDX and CycloneDX formats and comes with a vulnerability scanner based on the Open Source Vulnerabilities (OSV) database.
Wiz's approach to SBOMs
Wiz makes SBOMs continuous, actionable, and enterprise-ready with an agentless approach.
Wiz automatically discovers software components across your clouds, containers, Kubernetes, VMs, and images, then assemble complete SBOMs you can use for security, compliance, and customer assurance.
Agentless by design: Continuous inventory with no deployment overhead; SBOMs stay current as your environment changes.
Standards-first and portable: Export CycloneDX or SPDX with package, OS, and transitive dependency details.
Operationalized at scale: Schedule SBOM reports across resources, export to cloud storage (e.g., Amazon S3), or fetch via API.
Code-to-cloud context: Correlate SBOMs with vulnerabilities, licenses, and exposed secrets to prioritize what matters to your business.
Built into delivery: Generate SBOMs at build, scan images in registries, and track drift by comparing SBOMs across releases.
Compliance ready: Produce auditable artifacts for EO 14028 and software supply chain reviews.
Book a demo to see how Wiz streamlines SBOM generation end to end with our agentless SBOM capability.
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.
Related Tool Roundups