ZSBOM is an open-source framework designed to automate dependency classification, validation, and SBOM (Software Bill of Materials) generation. The purpose of this project is to help developers, security teams, and DevOps engineers: - Extract dependencies from Python projects. - Classify them based on open-source licensing, security risks, and direct vs transitive relationships. - Generate industry-standard SBOMs in CycloneDX and SPDX formats. - Validate dependencies against security vulnerabilities (CVEs), license compliance, and best practices. - Seamlessly integrate dependency tracking into CI/CD pipelines.
This repository follows the terminology defined in the Python Packaging User Guide Glossary. Non-Python package users should note that some terminology may differ from other software ecosystems.
SBOMs are essential for tracking software composition and are increasingly required under software security regulations such as: - Secure Software Development Framework (SSDF) - Cyber Resilience Act (CRA) - NIST Cybersecurity Framework (CSF) - NTIA Minimum Elements for an SBOM (CISA)
Python packages often bundle non-Python dependencies (C/C++, Rust, Fortran, JavaScript, etc.), making Software Composition Analysis (SCA) challenging. ZSBOM aims to: - Identify hidden dependencies that aren't explicitly listed. - Ensure accurate security risk assessment of dependencies.
To install ZSBOM as a command-line tool from GitHub:
pip install git+https://github.com/ZerberusAI/ZSBOM.git
After installation, you can run ZSBOM directly from your terminal:
zsbom --help
zsbom
git clone https://github.com/ZerberusAI/ZSBOM.git
cd ZSBOM
pip install .
You can integrate ZSBOM into your existing Python project by:
1. Importing it as a module:
python
from depclass.extract import extract_dependencies
deps = extract_dependencies()
print(deps)
2. Running it as a standalone CLI tool:
sh
zsbom
3. Embedding it in a CI/CD pipeline (see next section for GitHub Actions workflow).
sbom.json.pyproject.toml to enable automated tracking.risk_model section of config.yaml.This section provides an example of how to integrate ZSBOM into a GitHub Actions workflow to automatically scan your project on pull requests to the main branch.
Create a file named .github/workflows/zsbom_scan.yml (or any other .yml file) in your project's repository with the following content:
name: PR ZSBOM Scan
on:
pull_request:
branches: ["main"]
permissions:
contents: read # Required to checkout the repository
# pull-requests: write # Uncomment if you plan to add PR comments with scan results
jobs:
zsbom-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9' # Adjust to your project's Python version
- name: Install project dependencies
run: |
python -m pip install --upgrade pip
# This step installs dependencies for YOUR project.
# Modify it according to your project's dependency management.
if [ -f requirements.txt ]; then
echo "Installing project dependencies from requirements.txt"
pip install -r requirements.txt
elif [ -f pyproject.toml ]; then # Assumes setuptools/build or similar PEP 517 build backend
echo "Installing project dependencies using pip from pyproject.toml"
pip install . # This will install the package defined by pyproject.toml
# Example for Poetry (if poetry.lock exists and you use Poetry):
# elif [ -f pyproject.toml ] && [ -f poetry.lock ]; then
# echo "Installing project dependencies using Poetry"
# pip install poetry
# poetry install --no-dev # Or poetry install if dev dependencies are needed for the scan
else
echo "No primary dependency file (requirements.txt or pyproject.toml for pip installable package) found for the project."
# Consider failing the job if dependencies are crucial for an accurate scan
# exit 1
fi
- name: Install ZSBOM
run: |
# Installs the latest version of ZSBOM CLI from its GitHub repository
pip install git+https://github.com/ZerberusAI/ZSBOM.git
- name: Run ZSBOM scan
run: |
# This command runs ZSBOM.
# It assumes a 'config.yaml' for ZSBOM exists in your repository root,
# or ZSBOM's default configuration is sufficient for your needs.
# You might need to specify a config file, e.g.:
# zsbom --config path/to/your/zsbom_config.yaml
# Ensure your ZSBOM configuration outputs to 'sbom.json' (or adjust the artifact path below).
zsbom
- name: Upload ZSBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-json
path: sbom.json # This should match the output file path configured in ZSBOM
if-no-files-found: error # Optional: Fails the step if sbom.json is not found
We welcome contributions from the open-source community! To contribute:
sh
git clone https://github.com/yourusername/ZSBOM.git
cd ZSBOMsh
git checkout -b feature-branchsh
git add .
git commit -m "Added new classification logic"sh
git push origin feature-branchpytest recommended).$ claude mcp add ZSBOM \
-- python -m otcore.mcp_server <graph>