SBOM

Each release publishes two CycloneDX SBOMs.

Python distribution SBOM

Attached to the GitHub Release as sbom-python.cdx.json. Generated by cyclonedx-py from the uv.lock-resolved environment at build time.

Inspect:

gh release download v1.0.0 -p 'sbom-python.cdx.json' -R klein-business/legal-text-mcp-de
jq '.components | length' sbom-python.cdx.json
jq '.components[] | {name, version, purl}' sbom-python.cdx.json

OCI image SBOM

Attached as a cosign attestation to the GHCR image. Generated by syft.

Inspect:

cosign download attestation \
  --predicate-type "https://cyclonedx.org/bom" \
  ghcr.io/klein-business/legal-text-mcp-de:v1.0.0 \
  | jq -r '.payload' | base64 -d | jq '.predicate.components | length'

Why we publish SBOMs

Compliance: many enterprise procurement processes require SBOMs. Supply-chain audit: SBOMs let downstream users programmatically verify that the artefacts they consume match the dependencies they audited.

Local development

To inspect or regenerate the SBOMs locally:

Python SBOM

uv run --group dev cyclonedx-py environment \
  --output-format json \
  --output-file sbom-python.cdx.json

OCI SBOM

Requires syft installed locally. Install via Homebrew:

brew install syft cosign

Then:

syft ghcr.io/klein-business/legal-text-mcp-de:v1.0.0 -o cyclonedx-json > sbom-oci.cdx.json

For pre-release / locally-built images, replace the image reference.

Related

• Verify with cosign — verifying the image signature and SBOM attestation.
• Versioning — release process overview.