A CLI tool for analyzing drift between two Software Bill of Materials (SBOM) files.
Detects component changes, transitive dependency shifts, license drift, and optionally enriches results with vulnerability data from free public APIs — no paid services, no vendor lock-in.
Existing SBOM tools (Syft, Grype, etc.) are point-in-time scanners. They answer "what's in this artifact right now?" but not "what changed between this release and the last one, and why should I care?"
sbom-drift fills that gap: it takes two SBOMs and gives you a structured, actionable report about what shifted, what licenses changed, which new transitive dependencies appeared, and — optionally — which newly introduced components carry known CVEs.
- 📦 Component Diff: Added, removed, and version-changed packages
- 🔗 Transitive Dependency Analysis: Surface indirect dependency changes from the dep graph
- 📜 License Drift: Track SPDX license identifier changes across versions
- 🔐 Vulnerability Enrichment (optional): Query OSV.dev and deps.dev for CVE data on new/changed components
- 📊 Multiple Output Formats: JSON, Markdown, HTML
- 🔌 Dual Mode: Fully offline or enriched via free public APIs
- 📋 Format Support: CycloneDX (JSON/XML) and SPDX (JSON/tag-value)
# Offline diff
sbom-drift diff sbom-v1.json sbom-v2.json
# With vulnerability enrichment (queries OSV.dev and deps.dev)
sbom-drift diff sbom-v1.json sbom-v2.json --enrich
# Output as Markdown report
sbom-drift diff sbom-v1.json sbom-v2.json --format markdown --output report.md
# Output as JSON (for pipeline integration)
sbom-drift diff sbom-v1.json sbom-v2.json --format json --output drift.json| Format | Serialization | Support |
|---|---|---|
| CycloneDX | JSON | ✅ |
| CycloneDX | XML | ✅ |
| SPDX | JSON | ✅ |
| SPDX | Tag-Value | ✅ |
| Mode | Flag | Description |
|---|---|---|
| Offline | (default) | Pure SBOM diff, no network calls |
| Enriched | --enrich |
Adds CVE and license risk data via OSV.dev and deps.dev |
- Architecture — how the tool is structured internally
- Project Memory — design decisions, rationale, and roadmap
🚧 Work in progress. See docs/memory.md for the full project roadmap and current status.
See CONTRIBUTING.md.
Apache 2.0 — see LICENSE.