Skip to content

Generate SBOMs and assess open-source risk, all locally

A local-first SBOM generator and open-source risk assessor for a single project — no SaaS, no account. From source code, a container image, a binary, or an SBOM you received, it produces an SBOM (CycloneDX 1.6), an open-source notice, and a security risk report in one run.

Get started Download for Windows (.exe)

Prefer no command line? Download the installer and double-click it. A Docker engine is required; the free Rancher Desktop works well on Windows. A step-by-step walkthrough is in the no-CLI quick start.

BomLens web UI showing a scan result: the Overview with counts and a severity/license summary, the Components table with filters, the Vulnerabilities list, the Dependencies as a graph and tree, and the Licenses section

Where to go next

  • Getting started

    Install through your first SBOM (desktop app, web UI, and CLI).

    Getting started

  • No-CLI quick start

    Make an SBOM and a notice with the desktop app — no command line.

    Quick start

  • Input scenarios

    GitHub URL, ZIP, local source, an existing SBOM, firmware.

    Scenarios guide

  • Supplier SBOM

    Validate an SBOM you received and issue a risk report.

    Supplier SBOM

  • Notice & security report

    Generate and read the outputs, plus using the web UI.

    Reports

  • CLI reference

    Every option, analysis modes, CI/CD.

    CLI reference