Today we're open-sourcing kunnus-scanner – a free, Apache 2.0-licensed command-line tool for generating Software Bills of Materials. It scans your project's dependencies across more than 30 package ecosystems and produces standards-compliant SBOMs in SPDX 2.3 and CycloneDX formats.
No account required. No API key. Just install and run.
Why We Built This
The EU Cyber Resilience Act requires manufacturers to maintain accurate SBOMs for every product they ship. Generating those SBOMs is a technical problem – and we believe the tooling to solve it should be freely available to everyone.
kunnus-scanner handles the scanning layer: it reads your lockfiles, resolves dependencies, checks against the OSV vulnerability database, and outputs a standards-compliant SBOM in whichever format your workflow requires. The result plugs directly into the Kunnus platform for ongoing vulnerability management and CRA documentation – but it also works perfectly well as a standalone tool.
We built it on Google's osv-scalibr library, which is the same engine powering several large-scale vulnerability scanning pipelines in production. We wrapped it with a CLI focused on the CRA compliance workflow: clean output, format flexibility, and native CI/CD integration.
What kunnus-scanner Covers
The scanner supports over 30 language and package manager ecosystems out of the box:
- Go (go.mod, compiled binaries)
- JavaScript / Node.js (npm, Yarn, pnpm, Bun lockfiles)
- Python (pip, Poetry, Pipenv, PDM, UV)
- Java (Maven, Gradle with transitive dependency enrichment)
- Rust (Cargo.lock with audit data)
- C / C++ (Conan)
- .NET (NuGet in all formats)
- Ruby (Gemfile.lock)
- PHP (Composer)
- Dart / Flutter (pubspec.lock)
- Haskell (Cabal, Stack)
- Erlang (mix.lock)
- R (renv.lock)
- OS packages (Alpine APK, Debian DPKG, Windows Registry) with
--include-os
For each dependency it captures name, version, license, supplier, and a PURL or CPE identifier – the metadata required to match components against vulnerability databases.
Getting Started in Three Commands
Install via Homebrew:
brew install think-ahead-technologies/tap/kunnus
Scan your current project:
kunnus sbom
Save to a file in CycloneDX format:
kunnus sbom --format cyclonedx-1-5 --output sbom.cdx.json
That's it. The scanner walks your directory tree, finds every supported lockfile, resolves all direct and transitive dependencies, and outputs a complete SBOM.
CI/CD Integration with GitHub Actions
For teams running GitHub Actions, we publish ready-to-use actions for both scanning and uploading:
- name: Generate SBOM
uses: think-ahead-technologies/kunnus-scanner/actions/sbom@main
with:
output: sbom.spdx.json
- name: Upload to Kunnus
uses: think-ahead-technologies/kunnus-scanner/actions/upload@main
with:
file: sbom.spdx.json
api-key: ${{ secrets.KUNNUS_API_KEY }}
component-id: ${{ vars.KUNNUS_COMPONENT_ID }}
version: ${{ github.ref_name }}
The scanner action runs on every push. The upload action pushes the result to the Kunnus platform, where it gets matched against the OSV database and tracked against your CRA compliance posture. You can also use either action independently – if you already upload SBOMs somewhere else, the scanner action still gives you a clean, standards-compliant output at zero cost.
Docker for Containerized Workflows
If you're running in a containerized build environment:
docker run --rm \
-v $(pwd):/workspace \
ghcr.io/think-ahead-technologies/kunnus-scanner:latest \
sbom --output /workspace/sbom.spdx.json
Pre-built multi-arch images for linux/amd64 and linux/arm64 are published to GitHub Container Registry with every release.
The Relationship to the Kunnus Platform
kunnus-scanner gives you SBOM generation. The Kunnus platform gives you everything on top of that: continuous vulnerability monitoring across all your products, automated alerting when new CVEs affect your shipped components, structured CRA documentation, conformity assessment support, and the audit trail you'll need for market surveillance.
The scanner is the foundation. The platform is what turns a single SBOM into an operational compliance workflow that scales across product lines and teams.
If you're evaluating both, start with the scanner. Get your first SBOM in five minutes, understand what it surfaces, then book a demo to see how it fits into a full CRA compliance workflow.
Open Source, Apache 2.0
kunnus-scanner is released under the Apache 2.0 licence. The full source is available at github.com/think-ahead-technologies/kunnus-scanner. Contributions, issues, and feature requests are welcome.
If you're building a CRA compliance workflow and want to understand how your current SBOM process stacks up, our free CRA readiness assessment takes about five minutes and gives you a clear picture of where you stand.