loading
loading
Scanners
Scans software bills of materials for security vulnerabilities.
overview
bomber reads a software bill of materials, the structured list of every component and version in a build, and checks each entry against a vulnerability database. Instead of scanning a running app, it answers a supply-chain question: do any of the dependencies you already ship carry a known CVE?
It reads SBOMs in the common formats and queries a provider for matching advisories. OSV is the default and needs no credentials; OSS Index is available when you supply a username and token. Findings come as JSON, XML, or a stdout summary, so they drop straight into a report or a triage table.
On Trickest, bomber is a Scanners node that takes a single SBOM file or a folder of them and writes a file and a folder of results. Generate the SBOM earlier in the workflow, scan it with bomber, and route the vulnerable components into the same findings path as your dynamic scan results.
use cases
Scan a project's SBOM so every shipped component is checked against an advisory database, catching vulnerable libraries before they reach production.
Point bomber at a folder of SBOMs to check a fleet of services or images at once and produce a single set of supply-chain findings.
Emit JSON and route the findings into a workflow step that fails when a high-severity component appears, keeping known-vulnerable dependencies out of a release.
Run against OSV with no credentials for a quick pass, or supply OSS Index credentials with --username and --token when you want that provider's coverage and detail.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| sbom-file | FILE | · | A single SBOM file to scan. |
| sbom-folder | FOLDER | · | A folder of SBOMs to scan in one run. |
| provider | STRING | --provider | Vulnerability provider: ossindex or osv (default osv). |
| output | STRING | --output | Output format: json, xml, or stdout (default stdout). |
| token | STRING | --token | API token for the chosen provider. |
| username | STRING | --username | Username for the chosen provider. |
Showing key inputs. bomber exposes 7 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sbom-file | FILE | · | Single SBOM file. |
| sbom-folder | FOLDER | · | Scan a folder of SBOMs. |
| provider | STRING | --provider | The vulnerability provider (ossindex, osv) (default "osv"). |
| output | STRING | --output | How bomber should output findings (json, xml, stdout) (default "stdout"). |
| token | STRING | --token | The API token for the provider being used. |
| username | STRING | --username | The user name for the provider being used. |
| debug | BOOLEAN | --debug | Displays debug level log messages. |
example
# scan a CycloneDX SBOM against OSV and emit JSON findingsbomber scan --provider osv --output json app.cyclonedx.jsonLoaded provider: osv Files: 1Packages: 214Vulnerabilities: 3 SEVERITY PACKAGE VULNERABILITYCRITICAL pkg:npm/lodash@4.17.15 CVE-2021-23337HIGH pkg:pypi/pyyaml@5.3.1 CVE-2020-14343MODERATE pkg:npm/minimist@1.2.5 CVE-2021-44906guidance
Use bomber when you have an SBOM and want to know which components carry known vulnerabilities. It checks a dependency list, not a running app, so generate the SBOM first. For scanning container images or filesystems directly, reach for trivy instead.
Scans images, filesystems, and SBOMs broadly. bomber is focused purely on SBOM-to-advisory checks.
Static analysis of Python source. bomber checks declared dependencies rather than your code.
Pattern-based static analysis of source. bomber answers the dependency supply-chain question instead.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
The Swiss Army knife for automated Web Application Testing.
An SBOM feeds bomber, which checks each component against a vulnerability provider and writes the vulnerable dependencies as a queryable output.
Facts on this page come from the live Trickest tool library.