uv-sbom
Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.
Features
- 📦 Parses
uv.lockfiles to extract dependency information - 🔍 Automatically fetches license information from PyPI with retry logic
- 📊 Outputs in multiple formats:
- CycloneDX 1.6 JSON format (standard SBOM format)
- Markdown format with direct and transitive dependencies clearly separated
- 🚀 Fast and standalone - written in Rust
- 💾 Output to stdout or file
- 🛡️ Robust error handling with helpful error messages and suggestions
- 📈 Progress tracking during license information retrieval
- 🏗️ Built with Hexagonal Architecture (Ports and Adapters) + Domain-Driven Design for maintainability and testability
- ✅ Comprehensive test coverage with 163 tests (Unit, Integration, E2E)
Scope and Key Differences from CycloneDX
SBOM Scope
This tool generates SBOMs based on uv.lock file contents, which includes:
- Direct runtime dependencies
- Transitive runtime dependencies
- Development dependencies (if locked in uv.lock)
What's NOT included:
- Build system dependencies (e.g., hatchling, setuptools)
- Publishing tools (e.g., twine, build)
- Dependencies only present in the virtual environment but not locked in uv.lock
Comparison with CycloneDX Official Tools
As of 2026-01-01, the official CycloneDX tools do not yet support uv directly. When generating SBOMs for Python projects:
| Aspect | uv-sbom (this tool) | CycloneDX Official Tools |
|---|---|---|
| Data Source | uv.lock file |
.venv virtual environment |
| Scope | Production runtime dependencies only | Entire supply chain including build/dev tools |
| Package Count | Typically fewer (e.g., 16 packages) | Typically more (e.g., 38+ packages) |
| Use Case | Production security scanning | Comprehensive supply chain audit |
| Accuracy | Reflects locked dependencies | Reflects installed packages |
Which Tool Should You Use?
- For production security scanning: Use
uv-sbomto focus on dependencies that will be deployed to production - For comprehensive supply chain audit: Use CycloneDX official tools to include all development and build-time dependencies
- For regulatory compliance: Check your specific requirements - some regulations may require the comprehensive approach
The focused approach of uv-sbom reduces noise in security vulnerability scanning by excluding build-time dependencies that don't ship with the final application.
Installation
Cargo (Recommended for Rust users)
Install from crates.io:
Pre-built Binaries
Download pre-built binaries from GitHub Releases:
macOS (Apple Silicon):
macOS (Intel):
Linux (x86_64):
Windows:
Download uv-sbom-x86_64-pc-windows-msvc.zip from the releases page and extract to your desired location.
From Source
# Clone the repository
# Build and install
Verify Installation
Usage
Basic usage
Generate a CycloneDX JSON SBOM for the current directory:
Output formats
Generate a Markdown table with direct and transitive dependencies:
Generate a CycloneDX JSON (default):
Specify project path
Analyze a project in a different directory:
Save to file
Output to a file instead of stdout:
Combined options
Command-line options
Options:
-f, --format <FORMAT> Output format: json or markdown [default: json]
-p, --path <PATH> Path to the project directory [default: current directory]
-o, --output <OUTPUT> Output file path (if not specified, outputs to stdout)
-h, --help Print help
-V, --version Print version
Output Examples
Markdown format
Note: The Markdown format sample is based on the SBOM format from ja-complete v0.1.0.
A comprehensive list of all software components and libraries included in this project.
Primary packages explicitly defined in the project configuration(e.g., pyproject.toml).
Secondary dependencies introduced by the primary packages.
CycloneDX JSON format
Requirements
- A Python project managed by
uvwith auv.lockfile - Internet connection for fetching license information from PyPI
Error Handling
uv-sbom provides detailed error messages with helpful suggestions:
- Missing uv.lock file: Clear message with suggestions on how to fix
- Invalid project path: Validates directory existence before processing
- License fetch failures: Retries failed requests (up to 3 attempts) and continues processing
- File write errors: Checks directory existence and permissions
- Progress tracking: Shows real-time progress during license information retrieval
Example error message:
❌ An error occurred:
uv.lock file not found: /path/to/project/uv.lock
💡 Hint: uv.lock file does not exist in project directory "/path/to/project".
Please run in the root directory of a uv project, or specify the correct path with the --path option.
Troubleshooting
uv.lock file not found
Ensure you're running the command in a directory containing a uv.lock file, or use the --path option to specify the correct project directory.
License information fetch failures
Some packages may fail to retrieve license information from PyPI. The tool will:
- Automatically retry up to 3 times
- Continue processing other packages
- Display warnings for failed packages
- Include packages in the output without license information if fetching fails
Network issues
If you're behind a proxy or firewall, ensure that you can access https://pypi.org. The tool uses a 10-second timeout for API requests.
Documentation
For Users
For Developers
- DEVELOPMENT.md - Development guide
- ARCHITECTURE.md - Hexagonal Architecture + DDD implementation (layers, ports, adapters, test strategy, ADRs)
- CHANGELOG.md - Change history
For Claude Code Users
- .claude/project-context.md - Complete project context for Claude Code
- .claude/instructions.md - Coding guidelines and instructions for Claude Code
These files provide comprehensive context for AI-assisted development with Claude Code.
License
MIT License - see LICENSE file for details.