Software supply chain security has become one of the most critical concerns for development teams in recent years. Yet most teams are still flying blind — no inventory of what’s in their software, no alerts when a vulnerability affects their stack, and no way to produce the SBOMs that customers and regulators increasingly demand.
We built boring.tools to fix that.
What is boring.tools?
boring.tools is a platform that gives you a complete, continuously updated picture of your software supply chain. Connect your projects and we’ll handle the rest: automatic SBOM generation on every commit, vulnerability scanning against multiple databases, and a searchable CVE mirror that’s always up to date.
The goal is simple — know exactly what’s in your software, and find out the moment any of it becomes a liability.
Generating SBOMs
boring.tools generates SBOMs in industry-standard formats:
| Format | Versions | Output |
|---|---|---|
| CycloneDX | 1.5, 1.6 | JSON, XML |
| SPDX | 2.3 | JSON |
All outputs are compliant with NTIA minimum elements and EU Cyber Resilience Act requirements.
We detect your package manager automatically from the lockfile in your repository. Supported ecosystems at launch:
- JavaScript — Bun, npm, pnpm
- Go — Go modules
- Python — Poetry, pip
- Rust — Cargo
- Java — Maven
Automatic generation via Git integration
The cleanest way to use boring.tools is to connect your Forgejo instance. Once a repository is linked to a project, we poll for new commits approximately every 30 minutes and generate a fresh SBOM automatically. No CI pipeline changes, no manual steps.
You can also trigger a scan manually at any time directly from the UI — useful when you want to check a branch before merging.
Manual upload
Have an existing SBOM from another tool? Upload it directly. boring.tools accepts CycloneDX (JSON or XML) and SPDX (JSON) files and queues them for vulnerability scanning immediately.
Vulnerability tracking
Every SBOM is scanned against three data sources:
- OSV.dev — the open, community-driven vulnerability database covering all major ecosystems
- NVD / NIST — the National Vulnerability Database
- GitHub Security Advisories — GitHub’s curated advisory feed
We maintain a local mirror of OSV that syncs every 10 minutes, so matching is fast and doesn’t depend on external availability at scan time.
Vulnerabilities are scored using CVSS and classified into Critical, High, Medium, and Low. Each project gets a live summary dashboard and a trend chart so you can see at a glance whether your risk profile is improving or degrading over a commit history.
Vulnerability delta
One of the more useful features: every scan shows you not just the current vulnerability count, but the delta compared to the previous scan. New CVEs introduced by a commit are flagged in red; resolved ones in green. This makes it easy to see the security impact of a deployment without wading through a full vulnerability list.
Triage and analysis
When you identify a vulnerability that doesn’t apply to your context — maybe the affected code path is unreachable, or you’ve already mitigated it — you can record that decision directly in boring.tools. Each vulnerability supports a full triage workflow: state (not affected, exploitable, fixed, etc.), justification, response actions, and free-text notes. Suppressed vulnerabilities are hidden from counts and tables until you explicitly show them.
CVE database search
boring.tools includes a full-text search interface over our local OSV mirror. Search by CVE ID, GHSA ID, or package name. Filter by ecosystem, severity, or minimum CVSS score. This is independent of your projects — useful for quickly looking up an advisory you heard about before checking whether it affects your stack.
What’s next
We’re launching the beta with SBOM generation, vulnerability monitoring, and Forgejo integration. GitHub support is on the roadmap, as are compliance report exports and container image scanning.
Sign up for the beta to be among the first to try it.