Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ The following Technical Initiatives have been approved by the TAC. You may learn
| ---------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------- |---------- |
| Best Practices Badge | [GitHub](https://github.com/coreinfrastructure/best-practices-badge) | https://www.bestpractices.dev/ | Best Practices WG | TBD |
| Bomctl | [GitHub](https://github.com/bomctl/bomctl) | | Security Tooling WG | [Sandbox](process/project-lifecycle-documents/bomctl_sandbox_stage.md) |
| BOMHort | [GitHub](https://github.com/seebom-labs/BOMHort) | https://docs.bomhort.dev/ | WG Supply Chain Integrity | [Sandbox](process/project-lifecycle-documents/BOMHort_sandbox_stage.md) |
| Criticality Score | [GitHub](https://github.com/ossf/criticality_score) | | Vulnerability Disclosures WG | TBD |
| darnit | [GitHub](https://github.com/kusari-oss/darnit) | | Supply Chain Integrity WG | [Sandbox](process/project-lifecycle-documents/darnit_sandbox_stage.md) |
| Fuzz Introspector | [GitHub](https://github.com/ossf/fuzz-introspector) | | Security Tooling WG | TBD |
Expand Down
90 changes: 90 additions & 0 deletions process/project-lifecycle-documents/BOMHort_sandbox_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# Application for BOMHort at Sandbox Stage

> **Note:** This project was formerly known as SeeBOM. It has been renamed to BOMHort to avoid confusion with BOM-type naming conventions (CBOM, XBOM, etc.) in the supply chain security ecosystem. The project mission, codebase, and team remain unchanged.

## Application for creating a new project at Sandbox stage

### List of project maintainers
The project has 2 maintainers across 1 organizations:

* Mario Fahlandt, Kubermatic, @mfahlandt
* Koray Oksay, Kubermatic, @koksay


### Sponsor

Supply Chain Integrity Working Group — BOMHort (formerly known as SeeBOM) was presented to the WG on June 3, 2026 and received their endorsement as a sandbox project sponsor. The project commits to providing quarterly updates on progress to the Supply Chain Integrity WG.

* [Supply Chain Integrity WG](https://github.com/ossf/wg-supply-chain-integrity)

### Mission of the project

BOMHort is a standalone, Kubernetes-native SBOM visualization and governance platform. It ingests SPDX and CycloneDX SBOMs from S3-compatible storage, detects vulnerabilities via the OSV API, enforces license compliance policies, and applies VEX statements — all presented through an interactive dashboard with analytics.

BOMHort addresses an unfulfilled need in the supply chain security ecosystem: the ability to **consume, visualize, and govern** large volumes of SBOMs at scale. While tools exist to generate SBOMs (Syft, Trivy) and to verify their integrity (SBOMit), there is no open source platform focused on operationalizing SBOM consumption — making thousands of SBOMs searchable, surfacing actionable vulnerability and license compliance insights, and enabling VEX-driven suppression of false positives at enterprise scale.

Specific goals include:

* Ingest and normalize SBOMs in both SPDX and CycloneDX formats from S3-compatible storage
* Provide interactive visualization and search across large SBOM inventories
* Detect known vulnerabilities by querying the OSV API against SBOM components
* Enforce configurable license compliance policies with pass/fail governance decisions
* Apply OpenVEX statements for vulnerability suppression and false positive management
* Deliver ClickHouse-powered analytics for trends, dependency graphs, and compliance reporting
* Deploy natively on Kubernetes via Helm charts with production-grade observability

BOMHort complements existing OpenSSF projects:

* Integrates [protobom](https://github.com/protobom/protobom) as an optional backend for extended SBOM format coverage, avoiding duplication of format parsing
* Enriches and creates a Single Plane of Glass for SPDX SBOMs for all CNCF projects (the [cncf/sbom](https://github.com/cncf/sbom) project, is the origin use case that motivated BOMHort)
* Consumes OSV vulnerability data and supports OpenVEX statements for vulnerability suppression

Differentiation from existing projects:

* **SBOMit** (OpenSSF Sandbox): Focuses on verifiable SBOMs using in-toto attestation. BOMHort focuses on consumption and governance. Complementary, not competing.
* **protobom** (OpenSSF Sandbox): Format translation layer. BOMHort uses protobom as an optional backend for format coverage. Complementary.
* **GUAC** (OpenSSF Incubating): Graph-based supply chain aggregation. BOMHort focuses on Kubernetes-native deployment, ClickHouse analytics, and license governance with policy enforcement — different architecture and primary use case.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I very much appreciate this section which describes how BOMHort differs from existing OpenSSF projects.

In this context, however, I'd prefer more details regarding how GUAC and BOMHort differ and/or complement each other. On a high-level, both ingest and aggregate SBOMs (and other data sources/documents).

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gkunz thank you for the question! Both ingest/aggregate SBOMs but with different approaches:

So this is our view for GUAC and BOMHort:

GUAC: graph-based, strong at relationship queries (dependency trees, blast radius). Research-oriented, single-project depth
BOMHort: tabular analytics, focused on fleet-scale compliance: license policy enforcement, VEX management, operational dashboards for compliance/legal teams.

BOMHort has a dedicated license governance implementation with configurable policies and active VEX management. GUAC has deeper graph traversal that BOMHort doesn't aim to replicate. Different strengths, different primary users.

This came up in the June 3 SCI WG meeting, including GUAC maintainer @mlieberman85 noting GUAC's complexity for operational use cases.

We see them as complementary, potential integration where BOMHort feeds data to GUAC's graph, and GUAC feeds certifier results back to BOMHort for governance dashboarding.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the detailed explanation, @mfahlandt.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BOMHort has a dedicated license governance implementation with configurable policies and active VEX management. GUAC has deeper graph traversal that BOMHort doesn't aim to replicate. Different strengths, different primary users.

I highly encourage both projects to make clear in their description who their primary users are expected to be and for what.

While it is great to see more projects coming to OpenSSF we need to make sure that people can quickly understand what is relevant to them. Otherwise, the diversity of OpenSSF tools becomes detrimental by leaving potential users confused and unsure what to use and for what purpose.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally agree; we will add it to our description and documentation to really give end users a good understanding of where to use what! Thank you!

* **Dependency-Track** (OWASP): Similar governance focus but Java-based, not Kubernetes-native, and lacks ClickHouse-scale analytics or native license policy enforcement.

Non-Goals:

* BOMHort does NOT generate SBOMs — that is the job of tools like Syft, Trivy, and mikebom
* BOMHort does NOT pick a winning SBOM format — it supports both SPDX and CycloneDX natively
* BOMHort does NOT replace vulnerability scanners — it consumes and visualizes vulnerability data from OSV


### Alignment with the OpenSSF MVVSR

The mission of BOMHort is aligned with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/) of the OpenSSF.

**Strategies:**

* **i) Catalyst for Change**: BOMHort provides open source tooling that enables organizations to operationalize SBOM consumption and governance at scale, driving practical adoption of supply chain transparency beyond SBOM generation.
* **ii) Educate and Empower the Modern Developer**: BOMHort offers a user-friendly platform that helps developers and security teams understand and manage their software supply chain risks through SBOM visualization, license compliance, and VEX-driven vulnerability management.
* **iii) Ecosystem Leader**: BOMHort is a Kubernetes-native, cloud-native platform that integrates with existing supply chain security standards (SPDX, CycloneDX, VEX, OSV) and OpenSSF projects (protobom), promoting interoperability and adoption.

**Pillars:**

* **i) Programs & Projects**: BOMHort is a technical tool that directly advances the operational use of SBOMs and vulnerability intelligence within the software supply chain.
* **ii) Education**: Through intuitive visualization, BOMHort makes SBOM data accessible to developers, security analysts, and compliance teams — not just SBOM experts.

### IP policy and licensing due diligence

When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

* Yes — the project is licensed under Apache-2.0
* LF IP review to be initiated upon TAC approval

### Project References

| Reference | URL |
|------------------------|------------------------------------------------------------------|
| Repo | https://github.com/seebom-labs/BOMHort |
| Documentation | https://docs.bomhort.dev |
| Architecture | https://docs.bomhort.dev/docs/architecture/ |
| Roadmap | https://docs.bomhort.dev/docs/roadmap/ |
| Contributing guide | https://github.com/seebom-labs/BOMHort/blob/main/CONTRIBUTING.md |
| Security policy | https://github.com/seebom-labs/BOMHort/blob/main/SECURITY.md |
| OpenSSF Best Practices | https://www.bestpractices.dev/projects/12903 |
| OpenSSF Scorecard | https://scorecard.dev/viewer/?uri=github.com/seebom-labs/BOMHort |
| License | Apache-2.0 |