Getting started¶
한국어: 시작하기 · Related: Usage guide
A step-by-step path from install to your first SBOM.
Prerequisites¶
| Item | Minimum |
|---|---|
| Docker | 20.10+ |
| Disk | 4 GB+ (for the Docker image) |
| OS | Linux, macOS, Windows |
| Arch | AMD64, ARM64 |
All you need is a Docker engine — the tool is not tied to one product. If you already run Docker (Docker Desktop, Rancher Desktop, docker-ce in WSL2, anything), just confirm it works and move on:
Installing Docker on Windows for the first time¶
Docker Desktop is the simplest, but it needs a paid license above a certain organization size. Free options:
| Option | Notes |
|---|---|
| WSL2 + docker-ce (free) | Install docker-ce inside WSL2 Ubuntu and run scan-sbom.sh there. No .bat, no Windows named pipe, no path-conversion issues. |
| Rancher Desktop (free, GUI) | A drop-in GUI replacement for Docker Desktop with a docker CLI. Works with the .bat double-click and desktop-app flows. |
| Docker Desktop | Easiest, but check licensing for organizational use. |
Installation¶
Windows — download and double-click (no command line)¶
The simplest path is the desktop app. Use Download BomLens for Windows (.exe) and double-click the file; the UI opens with no console window. It is unsigned for now, so if Windows SmartScreen warns, click More info and then Run anyway. A step-by-step Korean guide is in the no-CLI quickstart.
Prefer scripts? Download the repo ZIP (the green Code button, then Download ZIP), unzip it, and double-click scripts\sbom-ui.bat. The scanner image (about 3–4 GB) downloads automatically on first run.
For the command-line wrapper, install Git for Windows (Git Bash) and use scripts\scan-sbom.bat, or follow the macOS/Linux steps below under WSL2.
macOS / Linux — CLI¶
git clone https://github.com/sktelecom/sbom-tools.git
cd sbom-tools
docker pull ghcr.io/sktelecom/bomlens:latest # legacy alias sbom-scanner serves the same image
The image is about 3–4 GB and may take a few minutes. Then verify:
Easiest start: the web UI¶
No commands required — run it in the browser, scan, and download results in three steps.
# Run from the folder where you want results saved (any folder)
cd ~/sbom-output
/path/to/sbom-tools/scripts/scan-sbom.sh --ui # opens http://localhost:8080
# Windows: double-click scripts\sbom-ui.bat
On Windows the folder you run from is where outputs are saved, and it must be inside a Docker file-sharing path; under your home directory (C:\Users\...) is shared by default. Then:
- Enter a project name and version.
- Pick a scan target: current folder, GitHub URL, ZIP upload, SBOM upload, firmware upload, or Docker image.
- Click Run scan — logs stream live.
- Download the SBOM, the notice, and the risk report.
Your first SBOM (CLI)¶
# All deliverables for a project in the current directory
./scripts/scan-sbom.sh --project "MyApp" --version "1.0.0" --all --generate-only
This produces a CycloneDX SBOM, an open-source notice, a security report, and a risk report in the current directory.
Understanding the results¶
Outputs are named {Project}_{Version}_…:
| File | What it is |
|---|---|
..._bom.json |
the SBOM (CycloneDX 1.6) |
..._NOTICE.{txt,html} |
open-source notice (고지문) grouped by license |
..._security.{json,md,html} |
Trivy vulnerability report |
..._risk-report.{md,html} |
open-source risk report (licenses + vulnerabilities), generated by default |
Quick checks with jq:
# Component count
jq '.components | length' MyApp_1.0.0_bom.json
# Unique licenses
jq '[.components[].licenses[]?.license.id] | unique' MyApp_1.0.0_bom.json
Next steps¶
- Usage guide — every option, analysis modes, CI/CD integration
- Architecture — the two-stage pipeline (cdxgen + syft, then post-processing)
- README — overview and the two core roles