Skip to main content
Modern applications reach far beyond declared dependencies: AI SDKs, ML models, and third-party SaaS APIs. Traditional BOM tools only read manifest files like requirements.txt or pom.xml. xBom analyzes your source code to find what your application actually uses, for a more accurate SBOM.

What xBom does

Beyond manifests

Finds real evidence of AI SDKs, cloud APIs, and crypto in your code, not just declared packages.

Extensible signatures

Community-driven signatures detect components; add your own for proprietary tools.

CycloneDX output

Produces standard CycloneDX BOMs for compliance and tooling.

Multi-ecosystem

Supports Java and Python today, with JavaScript in progress.

Get started

xBom Quickstart

Generate your first xBOM.

CycloneDX SBOM

Generate a standard SBOM with Vet.

What is an SBOM?

SBOM versus xBOM, explained.

Contribute signatures

Add detections for new components.