For mgpy, a good SBOM is more than an export format. It links package reality, license visibility and supply-chain transparency into an auditable artifact.
Key points
- CLI: On Windows the examples use the recommended
py -3.12 -m <module> ...form (for examplepy -3.12 -m manifestguard ...). On Linux/macOS this usually maps topython3.12 -m .... - The SBOM must match the actually built artifacts and their versions.
- Missing licenses or unclear origin entries make an SBOM weak for real release approval.
- SBOM generation should be part of the release path, not a manual exception.
Recommended mgpy workflow
- Pick an SBOM format that can be processed in the target environment.
- Cross-check the output against
pip freeze, build artifacts and package metadata. - Repeat the same SBOM generation on every release so comparisons stay meaningful.
Quick start
py -3.12 -m manifestguard sbom --format spdx --output sbom.spdx.json
py -3.12 -m manifestguard sbom --format cyclonedx --output sbom.cdx.json
py -3.12 -m manifestguard check --extended