Crate bomdrift 

Crate root: declares the public module tree and re-exports the orchestration entry points.

The run / run_diff orchestration plus its private helpers live in run; this file is a thin shim so that bomdrift::run(...) and the public predicates (tripped, any_kev, …) keep their historical paths.

Re-exports

pub use crate::run::FAIL_ON_EXIT_CODE;

pub use crate::run::any_epss_at_or_above;

pub use crate::run::any_kev;

pub use crate::run::budget_tripped;

pub use crate::run::run;

pub use crate::run::tripped;

pub use crate::vex::SyntheticFindingKind;

pub use crate::vex::parse_synthetic_id;

Modules

attestation

OCI-attached SBOM attestation fetch + verify (Phase B, v0.9.6).

baseline

Baseline suppression: filter out findings already present in a previously captured --output json snapshot.

cli

clock

Single source of truth for date/time. Honors SOURCE_DATE_EPOCH so every timestamp/date emitted by bomdrift in production paths is reproducible across runs when the env var is set.

config

Repository-level policy config (.bomdrift.toml).

diff

Core SBOM diff. Produces a ChangeSet listing components added, removed, version-changed, and license-changed between a before and after Sbom.

enrich

Risk-signal enrichers. Each runs over a crate::diff::ChangeSet and produces data that the renderers can pair back to the changed components.

model

parse

SBOM parser layer. Each supported format implements SbomParser; detect_format identifies the format by peeking at the JSON without fully deserializing.

plugin

External-process plugin loader (Phase C, v0.9.6).

refresh

bomdrift refresh-typosquat subcommand: pull a fresh per-ecosystem top-package list from the same upstream source data/npm-top1k.txt was sourced from, and persist it under the user’s XDG cache directory so the typosquat enricher can prefer it over the snapshot baked into the binary.

render

Output renderers. Each takes a crate::diff::ChangeSet and produces a string in a target format. Rendering is pure (no I/O, no allocations beyond the output buffer) so the same ChangeSet always renders to byte-identical output — a hard requirement for peter-evans/create-or-update-comment upsert behavior.

run

vex

VEX (Vulnerability Exploitability eXchange) consumption (v0.9, Phase G).