SBOMGATE

Continuous SBOM diff & vulnerability watch with maintainer-change tracking

Blue Team / Defense — detection, deception, and monitoring for small teams.

pip install cognis-sbomgate
sbomgate scan .            # → prioritized findings in seconds

Contents

• Why sbomgate? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing

Why sbomgate?

Continuous SBOM diff & vulnerability watch with maintainer-change tracking — without standing up heavyweight infrastructure.

sbomgate is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.

↑ back to top

Features

• ✅ Parse Sbom
• ✅ Load Sbom
• ✅ Diff Sboms
• ✅ Load Advisories
• ✅ Match Vulnerabilities
• ✅ Gate
• ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
• ✅ Ports in Python, JavaScript, Go, and Rust (ports/)

↑ back to top

Quick start

pip install cognis-sbomgate
sbomgate --version
sbomgate scan .                       # scan current project
sbomgate scan . --format json         # machine-readable
sbomgate scan . --fail-on high        # CI gate (non-zero exit)

↑ back to top

Example

$ sbomgate scan .
  [HIGH    ] SBO-001  example finding             (./src/app.py)
  [MEDIUM  ] SBO-002  another signal              (./config.yaml)

  2 findings · risk score 5 · 38ms

↑ back to top

Architecture

flowchart LR
  A[Input: file / dir / API] --> B[Collectors]
  B --> C[Rules / Analyzers]
  C --> D[Scorer]
  D --> E{Reporters}
  E --> F[Table]
  E --> G[JSON / SARIF]
  E --> H[MCP tool -. drives .-> AI agents]

Loading

↑ back to top

Use it from any AI stack

sbomgate is interoperable with every popular way of using AI:

• MCP server — sbomgate mcp (Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet)
• OpenAI-compatible / JSON — pipe sbomgate scan . --format json into any agent or LLM
• LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
• CI / scripts — exit codes + SARIF for non-AI pipelines

↑ back to top

How it compares

	Cognis sbomgate	anchore
Self-hostable, no account	✅	varies
Single command, zero config	✅	⚠️
JSON + SARIF for CI	✅	varies
MCP-native (AI agents)	✅	❌
Polyglot ports (JS/Go/Rust)	✅	❌
Open license	✅ COCL	varies

Built in the spirit of anchore/syft, re-framed the Cognis way. Missing a credit? Open a PR.

↑ back to top

Integrations

Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (sbomgate mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.

↑ back to top

Install anywhere

Linux	macOS	Windows	Docker	Cloud
scripts/setup-linux.sh	scripts/setup-macos.sh	scripts/setup-windows.ps1	docker run ghcr.io/cognis-digital/sbomgate	DEPLOY.md (AWS/Azure/GCP/k8s)

↑ back to top

Related Cognis tools

• sentrylog — Single-file SIEM for small teams — Sigma rules + multi-source ingest
• edrgap — EDR coverage & bypass detector — reconciles MDM + EDR + AD inventories
• canarynet — Self-hosted canary token network — AWS keys, DNS, docs, web URLs
• phishforge — Open-source phishing simulation — campaigns, templates, training
• honeytrace — Active-decoy network lure system — SSH, RDP, SMB, web honeypots

Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 hermes

↑ back to top

Contributing

PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.

⭐ If sbomgate saved you time, star it — it genuinely helps others find it.

License

Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.

---

_{Cognis Digital · one of 170+ tools in the Cognis Neural Suite · Making Tomorrow Better Today}