Now in beta — join the waitlist

Supply chain security, simplified.

boring.tools generates SBOMs from your projects and tracks CVEs across your dependencies — so you always know what's in your software.

CycloneDXcompatible
SPDXsupport
OSV+ NVD
sbom scan — boring.tools
boring.tools cli v0.9.1running...my-app · 1.4.2
Scroll

Built on open standards

  • CycloneDX 1.5
  • SPDX 2.3
  • NTIA-compliant
  • OSV.dev
  • NVD / NIST
  • EU CRA-ready

Live vulnerability tracking

Know your exposure.

boring.tools matches your SBOM against the NVD and OSV databases and surfaces every CVE that affects your dependencies — sorted by risk, deduplicated, and ready to triage.

my-app v1.4.2 · 159 packages · 2 critical 2 high 2 medium
NVD · updated today
CVE-2023-26159 CRITICAL · 9.1
follow-redirects @ 1.15.4
Open redirect via URL confusion
CVE-2023-44487 CRITICAL · 7.5
golang.org/x/net @ 0.14.0
HTTP/2 Rapid Reset DoS attack
CVE-2024-21538 HIGH · 7.5
cross-spawn @ 7.0.3
ReDoS via crafted input string
CVE-2024-45296 HIGH · 7.3
path-to-regexp @ 0.1.7
ReDoS via backtracking route
CVE-2023-45857 MEDIUM · 5.9
axios @ 1.6.0
CSRF token exposure via headers
CVE-2022-25883 MEDIUM · 5.3
semver @ 7.5.1
ReDoS via malformed version
Showing 6 of 11 vulnerabilities CycloneDX 1.5 · SPDX 2.3 compatible

The problem

You're shipping blind.

Most teams have no real inventory of their dependencies — until a CVE hits the news and the scramble begins.

Invisible vulnerabilities

CVEs in your dependencies go undetected for months. By the time you find out, you're already exposed.

No SBOM standard

Customers and regulators demand SBOMs. Generating them manually from your projects is error-prone and slow.

Fragmented tooling

Scanner A, tracker B, dashboard C — stitched together with scripts. One place that shows the full picture doesn't exist.

How it works

Three steps. Then it gets boring.

That's the goal: supply chain security that runs in the background and just works. No daily dashboards to babysit. No firefighting.

  1. 01

    Connect your project

    Point boring.tools at your repository or upload a manifest. We support npm, Go, Python, Rust, Java and more.

  2. 02

    We generate the SBOM

    Every build produces a CycloneDX and SPDX SBOM — versioned, signed, ready to share with customers and regulators.

  3. 03

    Stay ahead of CVEs

    We continuously match your SBOMs against NVD and OSV. Critical CVE in your stack? You'll know in minutes, not months.

Features

Everything you need.
Nothing you don't.

Read the platform overview for a deeper look at how boring.tools handles inventory, SBOMs, CVEs, and cross-project visibility.

Explore the platform

SBOM Generation

Automatically generate CycloneDX and SPDX SBOMs from your project dependencies. Export, share, and store them with every release.

CycloneDX SPDX JSON / XML
Learn more

CVE Tracking & Alerts

Continuous CVE monitoring against the NVD and OSV databases. Get alerted the moment a new vulnerability affects your stack.

Critical High Medium Low
Learn more

Dependency Inventory

A complete, up-to-date inventory of every package and version across all your projects. No more guessing what's in your software.

npm Go Python + more
Learn more

Supply Chain Dashboard

One view across all your projects. Risk scores, CVE trends, and SBOM compliance status — at a glance.

Multi-project Trends Shared visibility
Learn more

Comparison

SBOM-first, by design.

Most "security" tools bolt SBOMs on as an export feature. We built the platform around them — that's what makes the difference when regulators and customers come asking.

Feature boring.tools Snyk Dependabot DIY scripts
Generates SBOM (CycloneDX + SPDX) weeks
Continuous CVE monitoring manual
Multi-project portfolio view
NTIA-compliant export maybe
Cross-ecosystem (npm + Go + Py) maybe
Boring, calm UI
Self-host option planned
Comparison based on publicly documented features as of 2025. Trademarks belong to their respective owners.

FAQ

Things people ask.

Is boring.tools production-ready?

We're currently in private beta. Early users are already running their first scans. We're targeting a public release once the SBOM-generation pipeline and CVE-correlation engine have stabilised across the major ecosystems we support.

Which package ecosystems do you support?

Day one: npm, Go modules, PyPI, Cargo and Maven. Container scanning (OCI manifests + base images) is on the roadmap and tracked in our public changelog.

Where do CVE data and advisories come from?

We aggregate the NVD (NIST), OSV.dev, GitHub Security Advisories and the relevant ecosystem advisories. Sources are clearly labelled per CVE so you can trace every finding back to its origin.

How is this different from Snyk or Dependabot?

Dependabot bumps versions, Snyk scans for issues. Neither produces compliant SBOMs you can ship with your software. boring.tools is built around the SBOM as the source of truth — vulnerability tracking, audit trails and compliance reporting fall out of that automatically.

Will there be a self-hosted version?

Yes. Self-hosting is a first-class goal — the core engine is open-source-friendly and we'll ship a Docker Compose distribution for teams that need to keep SBOMs on their own infrastructure.

How much will it cost?

Free for open source projects and individual developers, forever. Team and Enterprise tiers will be priced per project / per seat — but the beta is free for everyone who signs up now.

Got another question? Email us.

Early access

Be on the list when we launch.

Beta access is free. No credit card, no spam — just an email when we're ready for you, and occasional development updates if you want them.

  • Free during beta
  • No credit card
  • Unsubscribe any time