Skip to content

Getting started

From install to your first SBOM, step by step. The fastest path needs no command line — download the app and double-click.

Just want an SBOM or a notice quickly, no commands? Start with the no-CLI quick start.

BomLens runs on a Docker engine, but the desktop app and web UI set it up and pull the image for you. You only manage Docker yourself for the CLI — see Requirements below if you still need to install one.

Download BomLens for Windows (.exe) and double-click it; the UI opens with no console window. On first run it checks Docker, pulls the scanner image (about 3–4 GB), and opens http://localhost:8080. The app is unsigned for now, so if Windows SmartScreen warns, click More info, then Run anyway. A click-by-click walkthrough is in the no-CLI quick start.

BomLens desktop app — the startup screen shows Docker checks, image download progress, and container startup

Prefer scripts over an installer? The sbom-ui.bat alternative is covered step by step in Path B of the no-CLI quick start.

Web UI

No commands beyond launching it: run in the browser, scan, and download results.

git clone https://github.com/sktelecom/sbom-tools.git && cd sbom-tools
./scripts/scan-sbom.sh --ui     # opens http://localhost:8080; results save under the current folder
#   Windows: double-click scripts\sbom-ui.bat

The folder you run from is the output base — each scan saves to a {Project}_{Version}/ subfolder under it (details in Where outputs go). If the port is taken, prefix UI_PORT=9090. To scan the current folder as the source, run from that project folder; for a GitHub URL, ZIP, SBOM, firmware, or Docker image you supply the input in the UI, so any folder works.

BomLens web UI — name a project, pick a scan target, and choose what to generate

  1. Enter a project name and version.
  2. Pick a scan target: current folder, GitHub URL, ZIP upload, SBOM upload, firmware upload, or Docker image.
  3. Click Run scan — logs stream live.
  4. View or download the SBOM, the notice, the risk report, and the security report.

Screen layout and per-target details are in the web UI reference.

Your first SBOM (CLI)

Advanced — for automation and CI. Run from the cloned repo. The command below scans the bundled Node.js example; point --target at your own folder, or drop --target to scan the current directory instead.

# All deliverables for the bundled example project
./scripts/scan-sbom.sh --project "MyApp" --version "1.0.0" --target examples/nodejs --all --generate-only

This produces a CycloneDX SBOM, an open-source notice, a security report, and a risk report named MyApp_1.0.0_…, all in a MyApp_1.0.0/ subfolder of the current directory.

# From a GitHub URL, without cloning first
./scripts/scan-sbom.sh --project "MyApp" --version "1.0.0" --git "https://github.com/org/repo" --all --generate-only

Other inputs — ZIP archive, Docker image, binary, firmware, or an existing SBOM — are in the input-scenarios guide.

To upload the result to TRUSCA or a Dependency-Track server, use --trusca <project_id> (or UPLOAD_TARGET); the steps are in the upload guide.

Understanding the results

Each scan lands in a {Project}_{Version}/ subfolder, and the files inside are named {Project}_{Version}_…, for example MyApp_1.0.0/MyApp_1.0.0_bom.json:

File What it is
{Project}_{Version}_bom.json the SBOM (CycloneDX 1.6)
{Project}_{Version}_NOTICE.{txt,html} open-source notice (고지문) grouped by license
{Project}_{Version}_security.{json,md,html} Trivy vulnerability report
{Project}_{Version}_risk-report.{md,html} open-source risk report (licenses + vulnerabilities), generated by default

The SBOM is CycloneDX 1.6 JSON. Key fields: metadata.component (the scanned project), components (the open-source components found), components[].purl (the package identifier), and components[].licenses (SPDX IDs).

Quick checks with jq (on WSL2/Ubuntu sudo apt-get install jq; on Windows Git Bash winget install jqlang.jq). If installing it is a hassle, the web UI overview shows the component count and licenses directly:

# Component count
jq '.components | length' MyApp_1.0.0/MyApp_1.0.0_bom.json

# Unique licenses
jq '[.components[].licenses[]?.license.id] | unique' MyApp_1.0.0/MyApp_1.0.0_bom.json

Requirements

BomLens needs only a Docker engine — not a specific product.

Item Minimum
Docker 20.10+
Disk 4 GB+ (for the Docker image)
OS Linux, macOS, Windows
Arch AMD64, ARM64

If you already run a Docker engine (Docker Desktop, Rancher Desktop, docker-ce in WSL2, anything), just confirm it works:

docker run --rm hello-world

Installing Docker on Windows for the first time

Docker Desktop is simplest, but it needs a paid license above a certain organization size. Free options:

Option Notes
WSL2 + docker-ce (free) Install docker-ce inside WSL2 Ubuntu and run scan-sbom.sh there. No .bat, no Windows named pipe, no path-conversion issues.
Rancher Desktop (free, GUI) A drop-in GUI replacement for Docker Desktop with a docker CLI. Works with the .bat double-click and desktop-app flows.
Docker Desktop Easiest, but check licensing for organizational use.

WSL2 + docker-ce, the short version (admin PowerShell):

wsl --install -d Ubuntu          # reboot, then finish Ubuntu setup

Then inside WSL (Ubuntu):

sudo apt-get update && curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker "$USER"  # log out and back in to apply
docker pull ghcr.io/sktelecom/bomlens:latest

Clone the repo inside WSL and run ./scripts/scan-sbom.sh ... as above. For the CLI on Windows without WSL2, install Git for Windows (Git Bash) and use scripts\scan-sbom.bat.

Next steps

Goal Doc
Input forms (GitHub, ZIP, SBOM, firmware) Input scenarios
Notice, security & risk reports, web UI Reports guide
Every option and CI/CD CLI reference
Language example projects Ecosystems
Internals Architecture
Contributing Contributing guide

Related: CLI reference | Input scenarios