Open Source

SBOM Generation. Free. For Everyone.

kunnus-scanner is an open source CLI tool that scans any codebase and generates a standards-compliant Software Bill of Materials in minutes.

View on GitHub Explore the Full Platform

Built for CRA Compliance. Free to Use.

The EU Cyber Resilience Act requires manufacturers to maintain an SBOM for every product they ship. We believe the tooling to generate those SBOMs should be freely available to everyone – from solo developers to large engineering teams.

What kunnus-scanner Does

30+ Ecosystems

Scans Go, Python, JavaScript, Java, Rust, .NET, Ruby, PHP, Dart, Haskell, Erlang, R, and more. OS packages (APK, DPKG, Windows Registry) with --include-os.

SPDX & CycloneDX

Outputs SPDX 2.3 and CycloneDX 1.4 / 1.5 – the two formats accepted by the CRA and most downstream tooling.

Vulnerability Matching

Matches all detected components against the OSV vulnerability database. Generates a summary with ecosystem breakdown and CVE counts.

CI/CD Integration

Ready-made GitHub Actions for SBOM generation and upload. Detects GitHub Actions, GitLab CI, Jenkins, and generic CI environments automatically.

Docker Support

Multi-arch images for linux/amd64 and linux/arm64 published to GitHub Container Registry. Drop into any containerized build pipeline.

Multiple Install Paths

Homebrew (macOS/Linux), Scoop (Windows), Docker, pre-built binaries, or build from source with Go. Pick what fits your stack.

Get Started in Minutes

01Install

brew install think-ahead-technologies/tap/kunnus

Also available via Scoop, Docker, and pre-built binaries.

02Scan

kunnus sbom

Scans the current directory recursively and prints a summary.

03Export

kunnus sbom --format cyclonedx-1-5 --output sbom.cdx.json

Saves the full SBOM to a file. Swap in spdx-2-3 for SPDX format.

GitHub Actions

Add SBOM generation to any workflow in two steps.

.github/workflows/sbom.yml

- name: Generate SBOM
  uses: think-ahead-technologies/kunnus-scanner/actions/sbom@main
  with:
    output: sbom.spdx.json

- name: Upload to Kunnus
  uses: think-ahead-technologies/kunnus-scanner/actions/upload@main
  with:
    file: sbom.spdx.json
    api-key: ${{ secrets.KUNNUS_API_KEY }}
    component-id: ${{ vars.KUNNUS_COMPONENT_ID }}
    version: ${{ github.ref_name }}

Need More Than SBOM Generation?

kunnus-scanner generates the SBOM. The Kunnus platform takes it from there: continuous vulnerability monitoring across all your products, automated CVE alerting, structured CRA documentation, and the audit trail you need for market surveillance authorities.

See What the Platform Adds Schedule Demo

Apache 2.0 Licensed

kunnus-scanner is free to use, modify, and distribute. Built on Google's osv-scalibr. Contributions welcome.

View Source on GitHub