# Dependency SBOM Auditor (`timely_quarterstaff/dependency-sbom-auditor`) Actor Parse a dependency manifest (package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, composer.json) from text or a public raw URL into a clean dependency list + a CycloneDX SBOM (JSON). Deterministic, no AI. Optional free keyless OSV.dev advisory enrichment. SSRF-guarded. - **URL**: https://apify.com/timely\_quarterstaff/dependency-sbom-auditor.md - **Developed by:** [Ahmed Moussa](https://apify.com/timely_quarterstaff) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Dependency SBOM Auditor Turn any dependency manifest into a clean dependency list **and** a CycloneDX-style SBOM (JSON) — fully deterministic, pure code, no AI. ### What it does Give it a manifest as **pasted text** (`manifest_text`) or a **public raw URL** (`manifest_url`) and it: 1. **Auto-detects** the ecosystem (or you force it with `manifest_type`). 2. **Parses** the dependencies deterministically. 3. Returns a **normalized component list** (`{name, version, version_spec, pinned, ecosystem, scope}`) plus a **CycloneDX 1.5 SBOM** (`sbom`) with PURLs. 4. **Optionally** enriches pinned dependencies with known vulnerabilities from the free, keyless public [OSV.dev](https://osv.dev) API (`check_advisories: true`, off by default, hard-capped at 50 lookups/run). ### Supported manifests | `manifest_type` | File | |---|---| | `npm` | `package.json` | | `pip` | `requirements.txt` | | `pyproject` | `pyproject.toml` (PEP 621 + Poetry) | | `gomod` | `go.mod` | | `cargo` | `Cargo.toml` | | `gem` | `Gemfile` | | `composer` | `composer.json` | | `auto` | detect from URL filename / content | ### Cost & safety - **SBOM / dependency listing is pure parsing — $0**, fully deterministic, no AI, no paid API. - **Advisory enrichment is optional** and uses **only** the **free, keyless** public OSV.dev API (no API key, no paid feed), bounded to 50 lookups/run. - Any URL fetch (manifest URL or OSV) goes through an **always-on SSRF guard** (private/loopback/reserved-IP block, fail-closed) with hard size/time caps. ### Input ```json { "manifest_text": "{\n \"dependencies\": { \"lodash\": \"^4.17.0\" }\n}", "manifest_type": "auto", "check_advisories": false } ```` or ```json { "manifest_url": "https://raw.githubusercontent.com/pallets/flask/main/pyproject.toml", "check_advisories": true } ``` ### Output (one dataset record) ```json { "status": "ok", "manifest_type": "npm", "ecosystem": "npm", "component_count": 1, "components": [ {"name": "lodash", "version": "4.17.0", "version_spec": "^4.17.0", "pinned": "4.17.0", "ecosystem": "npm", "scope": "required"} ], "sbom": { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [ ... ] } } ``` # Actor input Schema ## `manifest_text` (type: `string`): Paste the raw contents of a dependency manifest (package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, composer.json). Provide this OR 'manifest\_url'. ## `manifest_url` (type: `string`): Optional. A public raw URL to a manifest file (e.g. a raw.githubusercontent.com link). Fetched through an always-on SSRF guard. Provide this OR 'manifest\_text'. ## `manifest_type` (type: `string`): Manifest ecosystem. 'auto' detects from content/URL. Otherwise force a parser. ## `check_advisories` (type: `boolean`): Optional. If true, enrich each pinned dependency with known vulnerabilities from the FREE, keyless public OSV.dev API. Bounded (hard cap on lookups). Uses NO API key and NO paid feed. Default false (SBOM-only is fully deterministic and $0). ## Actor input object example ```json { "manifest_url": "https://raw.githubusercontent.com/pallets/flask/main/pyproject.toml", "manifest_type": "auto", "check_advisories": false } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "manifest_url": "https://raw.githubusercontent.com/pallets/flask/main/pyproject.toml" }; // Run the Actor and wait for it to finish const run = await client.actor("timely_quarterstaff/dependency-sbom-auditor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "manifest_url": "https://raw.githubusercontent.com/pallets/flask/main/pyproject.toml" } # Run the Actor and wait for it to finish run = client.actor("timely_quarterstaff/dependency-sbom-auditor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "manifest_url": "https://raw.githubusercontent.com/pallets/flask/main/pyproject.toml" }' | apify call timely_quarterstaff/dependency-sbom-auditor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=timely_quarterstaff/dependency-sbom-auditor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Dependency SBOM Auditor", "description": "Parse a dependency manifest (package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, composer.json) from text or a public raw URL into a clean dependency list + a CycloneDX SBOM (JSON). Deterministic, no AI. Optional free keyless OSV.dev advisory enrichment. SSRF-guarded.", "version": "0.1", "x-build-id": "rIDolu1ReAYtAULro" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/timely_quarterstaff~dependency-sbom-auditor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-timely_quarterstaff-dependency-sbom-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/timely_quarterstaff~dependency-sbom-auditor/runs": { "post": { "operationId": "runs-sync-timely_quarterstaff-dependency-sbom-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/timely_quarterstaff~dependency-sbom-auditor/run-sync": { "post": { "operationId": "run-sync-timely_quarterstaff-dependency-sbom-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "manifest_text": { "title": "Manifest text", "type": "string", "description": "Paste the raw contents of a dependency manifest (package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, composer.json). Provide this OR 'manifest_url'." }, "manifest_url": { "title": "Manifest URL", "type": "string", "description": "Optional. A public raw URL to a manifest file (e.g. a raw.githubusercontent.com link). Fetched through an always-on SSRF guard. Provide this OR 'manifest_text'." }, "manifest_type": { "title": "Manifest type", "enum": [ "auto", "npm", "pip", "pyproject", "gomod", "cargo", "gem", "composer" ], "type": "string", "description": "Manifest ecosystem. 'auto' detects from content/URL. Otherwise force a parser.", "default": "auto" }, "check_advisories": { "title": "Check advisories (OSV.dev, free + keyless)", "type": "boolean", "description": "Optional. If true, enrich each pinned dependency with known vulnerabilities from the FREE, keyless public OSV.dev API. Bounded (hard cap on lookups). Uses NO API key and NO paid feed. Default false (SBOM-only is fully deterministic and $0).", "default": false } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```