Show HN: SBoM dashboard that pulls from GitHub release assets

  • Posted 3 hours ago by hcavarsan
  • 2 points
https://sbom.kftray.app
i've been setting up supply chain security for my project kftray. mainly the release workflow ( https://github.com/hcavarsan/kftray/blob/main/.github/workfl... ) is generating CycloneDX SBOMs with Syft, scanning for vulns with Grype, signing everything with Cosign, and using OpenVEX to suppress false positives

i wanted a simple way to expose a overview about all this without spinning up Dependency-Track or similar.

so i built this (public) page that reads directly from GitHub release assets and shows components, vulnerabilities by severity, and also aggregates OpenSSF Scorecard and best practices into a summary card. (https://sbom.kftray.app) basically a simple react/ bun code

source code isn't public yet… if there's interest i'd be happy to open source it…

would love feedback on the approach.

0 comments