Protobomit is a command line tool designed to manage Software Bill of Materials (SBOM) by adding in-toto attestations as an external references.

• Generate a new SBOM with associated attestations
• Verify SBOM provenance
• Add in-toto attestations as external references to SBOMs
• Support for CycloneDX and SPDX SBOM formats

To install protobomit, you need to have Go installed on your machine. You can download it from the official Go Downloads page.

Once Go is installed, you can install Protobomit by running:

go get github.com/testifysec/protobomit  

To generate a new SBOM with associated attestations:

./protobomit generate --sbom <path-to-sbom> --attestation <path-to-attestation> --policy <path-to-policy> --publicKey <path-to-public-key>  

To contribute to the development of Protobomit, you can clone the repository:

git clone https://github.com/testifysec/protobomit.git  

Navigate to the cloned repository:

cd protobomit  

Run tests:

go test ./...  

Protobomit is licensed under [Apache 2.0]](LICENSE).

Contributions are welcome.

For any inquiries or issues, please open an issue on the Protobomit GitHub repository.