← Back to blog
2026-06-28 · VulnLedger

How to Generate an SBOM in One Command

A step-by-step guide to generating Software Bill of Materials documents for your projects, from CLI to compliance-ready reports.

SBOM Tutorial Getting Started Compliance

Generating a Software Bill of Materials (SBOM) used to be complex and time-consuming. With modern tools, you can generate a compliance-ready SBOM in under a minute.

What is an SBOM?

An SBOM is a structured list of all software components in your application. Think of it as an "ingredient label" for your software. It documents:

- Every library and package your code depends on

  • Version numbers for each component
  • License information
  • Known vulnerabilities

    Why You Need One

    SBOMs are becoming mandatory:

    - EU CRA: Required for all software sold in the EU by 2027

  • US EO 14028: Required for federal software suppliers
  • FDA: Required for medical device submissions
  • PCI DSS 4.0: References SBOM for payment software

    Method 1: CLI (Quickest)

    Install VulnLedger and scan your project:

    `bash

  • pip install vulnledger vulnledger scan ./my-project `

    This generates a CycloneDX SBOM and checks every dependency against OSV.dev for vulnerabilities.

    Method 2: CI/CD Integration

    Add SBOM generation to your GitHub Actions:

    `yaml

  • name: Generate SBOM
  • run: | pip install vulnledger vulnledger scan . --json --output sbom-report.json `

    Method 3: Web Dashboard

    Sign up for VulnLedger Cloud, connect your GitHub repo, and get automatic SBOM generation on every scan.

    Reading Your SBOM

    Your SBOM report will show:

    1. Total components: How many dependencies you have 2. Vulnerabilities: Known CVEs in your dependencies 3. Severity breakdown: Critical, high, medium, low 4. Fix versions: What to upgrade to

    From SBOM to Compliance

    To turn your SBOM into a compliance document:

    1. Generate the SBOM (CycloneDX format preferred) 2. Scan for vulnerabilities (OSV.dev or NVD) 3. Document your remediation plan 4. Export as PDF for auditors

    VulnLedger does all of this automatically and provides compliance-ready reports for EU CRA, FDA, and NIST SSDF.

    Conclusion

    Generating an SBOM is no longer optional. The good news is that it's also no longer difficult. Start with one command and you'll have a compliance-ready document in seconds.

    Try VulnLedger

    Generate SBOMs and scan for vulnerabilities in one command.

    Start Free