Dependency SBOM Auditor avatar

Dependency SBOM Auditor

Pricing

Pay per usage

Try for free
Go to Apify Store
Dependency SBOM Auditor

Dependency SBOM Auditor

Try for free

Parse a dependency manifest (package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, composer.json) from text or a public raw URL into a clean dependency list + a CycloneDX SBOM (JSON). Deterministic, no AI. Optional free keyless OSV.dev advisory enrichment. SSRF-guarded.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Ahmed Moussa

Ahmed Moussa

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

10 hours ago

Last modified

Categories

Developer tools

Share

Turn any dependency manifest into a clean dependency list and a CycloneDX-style SBOM (JSON) — fully deterministic, pure code, no AI.

What it does

Give it a manifest as pasted text (manifest_text) or a public raw URL (manifest_url) and it:

  1. Auto-detects the ecosystem (or you force it with manifest_type).
  2. Parses the dependencies deterministically.
  3. Returns a normalized component list (
    {name, version, version_spec, pinned, ecosystem, scope}
    ) plus a CycloneDX 1.5 SBOM (sbom) with PURLs.
  4. Optionally enriches pinned dependencies with known vulnerabilities from the free, keyless public OSV.dev API (check_advisories: true, off by default, hard-capped at 50 lookups/run).

Supported manifests

manifest_typeFile
npmpackage.json
piprequirements.txt
pyprojectpyproject.toml (PEP 621 + Poetry)
gomodgo.mod
cargoCargo.toml
gemGemfile
composercomposer.json
autodetect from URL filename / content

Cost & safety

  • SBOM / dependency listing is pure parsing — $0, fully deterministic, no AI, no paid API.
  • Advisory enrichment is optional and uses only the free, keyless public OSV.dev API (no API key, no paid feed), bounded to 50 lookups/run.
  • Any URL fetch (manifest URL or OSV) goes through an always-on SSRF guard (private/loopback/reserved-IP block, fail-closed) with hard size/time caps.

Input

{
  "manifest_text": "{\n  \"dependencies\": { \"lodash\": \"^4.17.0\" }\n}",
  "manifest_type": "auto",
  "check_advisories": false
}

or

{
  "manifest_url": "https://raw.githubusercontent.com/pallets/flask/main/pyproject.toml",
  "check_advisories": true
}

Output (one dataset record)

{
  "status": "ok",
  "manifest_type": "npm",
  "ecosystem": "npm",
  "component_count": 1,
  "components": [
    {"name": "lodash", "version": "4.17.0", "version_spec": "^4.17.0",
     "pinned": "4.17.0", "ecosystem": "npm", "scope": "required"}
  ],
  "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [ ... ] }
}

Use cases

  • Generate a CycloneDX SBOM for a repo from its manifest — for compliance or audit.
  • Quick dependency inventory across many ecosystems with one tool.
  • Optional vulnerability triage via free OSV.dev advisories (no key, no paid feed).

How it works (deterministic, code-only)

The manifest is read from text or fetched (SSRF-guarded) from a raw URL, the ecosystem is auto-detected or forced, and dependencies are parsed deterministically into a normalized component list + a CycloneDX 1.5 SBOM with PURLs. Advisory enrichment, when enabled, queries the keyless public OSV.dev API (bounded).

Limitations (honest)

  • Parses declared manifest dependencies, not a fully resolved lockfile graph.
  • OSV advisory lookups require pinned versions and are capped at 50 per run.
  • Advisory enrichment is opt-in (check_advisories: true); SBOM-only is the $0 default.

You might also like

OD

OSS Dependency Risk Report — Bus Factor, CVEs & SBOM Compliance

ryanclinton/oss-dependency-risk-report

Analyze the risk profile of any open-source package or repository by querying 7 data sources in parallel — GitHub repositories, NVD CVE vulnerabilities, CISA Known Exploited Vulnerabilities (KEV), StackExchange discussions, Hacker News mentions, Federal Register SBOM regulations, and Congress...

User avatar

Ryan Clinton

2

CVE Vulnerability Lookup (NIST NVD) avatar

CVE Vulnerability Lookup (NIST NVD)

automation-lab/cve-vulnerability-lookup

Query the NIST NVD for CVE details — lookup by CVE ID, keyword, or CPE product. Returns CVSS scores, descriptions, CWE IDs, affected software, and patch links. No API key required.

User avatar

Stas Persiianenko

4

Open Source Software Supply Chain MCP Server avatar

Open Source Software Supply Chain MCP Server

ryanclinton/open-source-software-supply-chain-mcp

OSS dependency risk and SBOM compliance intelligence for application security teams, engineering leadership, and procurement.

User avatar

Ryan Clinton

2

OSV Open Source Vulnerabilities Scraper avatar

OSV Open Source Vulnerabilities Scraper

parseforge/osv-vulnerabilities-scraper

Query the OSV.dev open-source vulnerabilities database. Search by package (PyPI/npm/Go/Maven/RubyGems/crates.io/NuGet/Packagist), commit hash, or fetch a specific vulnerability by ID. Returns affected ranges, CVE aliases, severity, and references.

User avatar

ParseForge

2

NPM Package Scraper – Download Stats, Deps, Versions avatar

NPM Package Scraper – Download Stats, Deps, Versions

logiover/npm-package-intelligence-scraper

Scrape NPM package download stats, dependencies and versions. NPM API alternative and registry data export to CSV/JSON. No token, no login.

User avatar

Logiover

2

RubyGems Scraper | Ruby Package Registry and Stats avatar

RubyGems Scraper | Ruby Package Registry and Stats

parseforge/rubygems-scraper

Scrape RubyGems package registry data including gem names, versions, downloads, authors, dependencies, runtime requirements, source code repositories, project URLs, and release dates. Extract metadata for monitoring, security audits, and developer ecosystem analysis

User avatar

ParseForge

2

Crates.io Rust Crates Scraper avatar

Crates.io Rust Crates Scraper

parseforge/crates-io-rust-scraper

Search crates.io, the Rust package registry. Returns crate name, version, description, repository, homepage, documentation, license, downloads, recent downloads, last updated, categories, keywords, owner team, dependencies, and yank status. Search by keyword or look up specific crates by name.

User avatar

ParseForge

2

Packagist PHP Packages Scraper avatar

Packagist PHP Packages Scraper

parseforge/packagist-php-packages-scraper

Scrape PHP package metadata from Packagist public API. Get package name, vendor, description, latest version, downloads, dependencies, repository, license. No API key required.

User avatar

ParseForge

2

UI/UX Auditor avatar

UI/UX Auditor

lenient_grove/ai-ux-auditor-apify

🚀 Ultimate AI based UI/UX Auditor for Website : Comprehensive analysis covering UX/UI, performance, accessibility, SEO, mobile, conversion & tech stack. AI-powered insights with 7 analysis types. Perfect for agencies & developers! #ai, #ux-analysis, seo, accessibility, #performance, #web-scraping

User avatar

Tejas Rawool

74

1.9

(2)

N&

npm & PyPI Package Tracker — Metadata + Downloads

agency-shift/npm-pypi-package-tracker

Track npm and PyPI packages. Get metadata, download stats, version history, and dependency info. For developer tools research and open source intelligence.

User avatar

Valdeir Lima

2

PyPI Packages Scraper avatar

PyPI Packages Scraper

parseforge/pypi-packages-scraper

Pull Python package data from PyPI. Returns name, version, summary, description, classifiers, license, author, project URLs (homepage, source, issues, docs), Python version requirement, dependencies, release history, last upload, and total release count. Direct lookup by package name.

User avatar

ParseForge

2