Overview
boring.tools integrates with Forgejo to automatically generate SBOMs whenever new commits are pushed. Once connected, boring.tools polls your repositories approximately every 30 minutes, detects new commits, and enqueues a scan automatically. You don’t need to trigger anything manually.
GitHub support is on the roadmap. Currently only Forgejo is supported.
Connect a Forgejo instance
- Go to Integrations in the sidebar
- Click Add integration (or New integration)
- Enter your Forgejo instance URL
- You’ll be redirected to your Forgejo instance to authorize the OAuth2 connection
- After authorizing, you’re redirected back to boring.tools
Your access token is stored encrypted using AES-256-GCM. You can connect multiple Forgejo instances — one per organization is typical, but there’s no hard limit.
What you’ll see after connecting
The integration detail page shows your repository list. Repositories are listed with their full name (owner/repo), description, visibility, default branch, and whether they are currently linked to a project.
Browse repositories and files
Within an integration, you can navigate your full repository tree:
- Click a repository name to open it
- The Browse tab shows a file browser — click directories to navigate into them, click files to view their contents
- The breadcrumb at the top lets you navigate back up the tree
- File contents are displayed as plain text (useful for checking lockfiles, manifests, etc.)
Link a repository to a project
Before boring.tools can generate SBOMs for a repository, it must be linked to a project.
- In the integration’s repository list, find the repository you want to link
- Click Link to project (or the link icon next to the repository)
- A dialog opens — select the target project from the dropdown
- Click Link to confirm
The repository now appears under Linked Repositories on the project detail page. If the repository is already linked, the dialog shows the current project with an option to unlink.
Unlinking a repository
To stop scanning a repository:
- Open the project and go to the Linked Repositories tab
- Click Unlink next to the repository
Alternatively, open the integration and click the link icon on the repository — if it’s already linked, the dialog will offer an unlink option.
Unlinking a repository stops future scans but does not delete existing SBOMs generated from it.
Scan runs per repository
Click a repository name and open the Scan Runs tab to see the full history of SBOM generation runs for that repository.
| Column | Description |
|---|---|
| Status | completed / failed / pending (with inline error message for failures) |
| Trigger | How the scan was started: Auto (poll), Manual, or Upload |
| Branch | Which branch was scanned |
| Started | Timestamp when the scan began |
| Duration | How long the scan took |
| Vulns found | Total vulnerabilities detected |
| New | Newly introduced CVEs compared to the previous scan (shown in red) |
| Resolved | CVEs resolved compared to the previous scan (shown in green) |
| SBOM | Short ID of the generated SBOM (click to open it) |
Use the Refresh button to reload the list, or click Run now to trigger a new scan.
Trigger a manual scan
To run a scan immediately without waiting for the next poll cycle:
- In the Scan Runs tab, click Run now
- A dialog opens with a Branch dropdown — select the branch you want to scan
- Click Generate
The latest commit on that branch will be used. A new row appears in the Scan Runs table with status pending, updating live as the scan progresses.
Note: If you see an error saying the repository is not linked to a project, go back and link it first via the integration’s repository list.
Configure the scan branch
By default, boring.tools uses the repository’s default branch for automated scans. To change this:
- Open the project and go to the Linked Repositories tab
- Click the branch dropdown next to the repository
- Select a different branch
The change applies immediately — the next automated scan will use the selected branch. There is no separate save step.
Automated scan schedule
boring.tools polls all linked repositories approximately every 30 minutes. If a new commit is detected on the configured scan branch since the last scan, a new SBOM generation job is enqueued. If no new commits are found, no scan is triggered.
The poll is commit-SHA based — boring.tools compares the latest commit on the branch to what it scanned last, so a scan is only triggered by actual code changes.