BOMHort is a Kubernetes-native SBOM visualization and governance platform.
BOMHort (formerly known as SeeBOM) is the same project with a new name. Read more: Why we renamed SeeBOM to BOMHort.
BOMHort is an OpenSSF Sandbox Project.
Official docs: docs.bomhort.dev
What BOMHort Solves
BOMHort helps engineering and platform teams understand software composition risk at scale. It combines SBOM ingestion, vulnerability intelligence, VEX context, and license governance in one workflow.
- Ingest large SPDX and CycloneDX inventories (1000+ files)
- Evaluate vulnerabilities via OSV batch queries
- Apply OpenVEX statements to mark effective vs suppressed findings
- Track license posture with policy and exception files (CNCF policy by default)
Architecture Overview
The monorepo is split into focused runtime components:
ingestion-watcher: cron-driven source scanner that hashes files and enqueues jobsparsing-worker: scalable workers parsing SBOM and VEX payloads (SPDX, CycloneDX, in-toto envelopes)cve-refresher: daily background job that rechecks known PURLs for newly published CVEsapi-gateway: stateless REST layer with 19 endpoints for dashboard, SBOM, vulnerability, and license dataui: Angular 19 dashboard with virtual scrolling, dark mode, and CSS-variable theming
ClickHouse stores analytical tables for SBOM metadata, package arrays, vulnerabilities, license compliance, queue status, VEX statements, and CVE refresh logs.
Data Flow
- Sources are discovered from local files or S3-compatible buckets (S3-native by default).
- Files are deduplicated by SHA256 and queued in ClickHouse.
- Workers parse SBOM/OpenVEX, resolve unknown licenses via GitHub, and enrich risk via OSV.
- Results are written to SBOM, vulnerability, license, and VEX tables.
- API endpoints aggregate these views for the dashboard and search features.
Key Capabilities
- Cross-project CVE impact using PURL lookups and dependency relationships
- License compliance with permissive/copyleft classification and CNCF exceptions
- Dependency health insights including archived GitHub repository indicators
- Version skew detection across projects
- Fast search and analytics powered by ClickHouse arrays and materialized views
Tech Stack
- Backend: Go 1.25, net/http (stdlib)
- Database: ClickHouse (MergeTree family)
- Frontend: Angular 19, CDK Virtual Scrolling
- Vulnerability Scanning: OSV.dev API
- VEX: OpenVEX Spec v0.2.0
- Deployment: Helm 3, Docker Compose
Deployment Modes
- Docker Compose for quick local start
- Local Kubernetes with Kind
- Production Kubernetes with Helm charts
- Config-driven customization for theme and UI text without rebuilds
For full setup guides and endpoint-level details, use docs.bomhort.dev.