endor-sbom
Installation
SKILL.md
Endor Labs SBOM Management
Manage Software Bill of Materials - export, import, analyze, and compare.
Supported Actions
| Action | Description |
|---|---|
export |
Generate SBOM from current project |
import |
Import and analyze an external SBOM |
analyze |
Analyze project's component inventory |
compare |
Compare two SBOMs for drift detection |
validate |
Check SBOM format compliance |
Workflow
Action: Export
- Use
get_resourceMCP tool (resource_type:Project,name: project/repo name) to get UUID. If not found, suggest/endor-scanfirst. - Export SBOM:
# CycloneDX (recommended)
npx -y endorctl sbom export --project-uuid {uuid} --format cyclonedx --output sbom-cyclonedx.json
# SPDX
npx -y endorctl sbom export --project-uuid {uuid} --format spdx --output sbom-spdx.json
- Present summary with: format, file path, project name, component counts by type (Libraries/Frameworks/Applications/Total), top-level dependencies with versions and licenses, NTIA compliance checks (component names, versions, unique IDs, dependency relationships, author info, timestamp).
Action: Analyze
- Run
/endor-scanif not already scanned - Query findings and dependencies
- Present component breakdown:
- Counts by category (direct/transitive/dev) with vuln and license risk counts
- Vulnerability coverage: components with CVEs, critical/high count, reachable count
- License distribution with risk levels
Action: Compare
Compare two SBOMs for drift detection. Present:
- Added/removed/updated packages with versions
- Security impact: new vulns introduced, vulns resolved, net change
- License impact: new risks, resolved risks
Action: Validate
Validate SBOM file against compliance standards. Check: format validity, NTIA minimum elements, component completeness, dependency relationships.
Next Steps
/endor-scan- scan for vulnerabilities/endor-license- check license compliance/endor-cicd- automate SBOM generation
For data source policy, read references/data-sources.md.
Error Handling
| Error | Action |
|---|---|
| Project not found | Run /endor-scan first |
| Auth error | Run /endor-setup |
| Invalid SBOM format | Show validation errors, suggest corrections |
Related skills