boto sbom

Usage

boto sbom [flags]

Scans the project directory for a supported lockfile, generates a CycloneDX 1.6 SBOM in JSON format, and either prints it to stdout, writes it to a file, or uploads it to your boring.tools project.

Supported package managers

Detection is automatic based on which lockfile is present. Priority order:

| Lockfile | Package manager | |---|---| | bun.lock | Bun | | package-lock.json | npm | | pnpm-lock.yaml | pnpm |

If none of these lockfiles are found, the command exits with an error.

Flags

| Flag | Default | Description | |---|---|---| | --path | current directory | Path to the project directory to scan | | --output | — | Write the SBOM to this file instead of stdout | | --project | — | boring.tools project ID — uploads the SBOM to the API |

Examples

Print SBOM to stdout:

boto sbom

Write SBOM to a file:

boto sbom --output sbom.json

Scan a specific directory:

boto sbom --path /path/to/project --output sbom.json

Upload directly to a boring.tools project:

boto sbom --project <project-id>

Uploading requires BT_API_KEY to be set (or --api-key).

Output

The SBOM is written as CycloneDX 1.6 JSON. The root component is read from package.json in the project root (name and version fields).

Progress and status messages are written to stderr so stdout remains clean for piping.