I open-sourced a personal project called Bomly and would appreciate feedback from netsec/AppSec folks

News

Bomly is a CLI + CI action for dependency intelligence workflows. It scans projects, SBOMs, containers, and Git refs; builds a dependency graph; generates SPDX/CycloneDX/SARIF; explains why packages are present; diffs dependency changes; and can enrich results with vulnerability/license metadata when requested. The goal is to make dependency graph data easier to inspect across local development, SBOM generation, and CI workflows. I’d appreciate feedback from supply chain experts here. This is a personal open-source project, not an official GitHub project. submitted by /u/Pleasant-Ad192 [link] [comments]Technical Information Security Content & DiscussionRead More