Supported Languages and Artifacts

When analyzing source code, SBOM generators are fairly flexible. Manifest generally supports any language. There are many different combinations of languages, package managers, and source artifacts that play into how you generate SBOMs. Manifest offers our CLI and integrations to automate orchestration of SBOM Generators for you. The Manifest-CLI and many of our integrations wrap around multiple open source SBOM Generators.

Manifest gives users the ability to easily generate SBOMs via a simple command and supports a wide variety of software ecosystems. These include:

Fully Supported Software Environments

• Alpine - Package management via apk
• Archive Files - From TAR to SquashFS
• Binaries - A variety of Binary forms
• C/C++ - Via Conan package manager
• C++ - Without a package manager
• Dart - Flutter and Dart projects
• Debian - Package management via apt
• Disk Images - For OS Images and for Embedded Systems
• Elixir - Mix and Hex package management
• Erlang - Rebar and Hex package management
• Go - Go modules and vendor directories
• Haskell - Cabal and Stack projects
• Java - Maven, Gradle, and JAR files
• JavaScript/Node.js - npm, yarn, pnpm projects
• Jenkins Plugins - Jenkins plugin manifests
• .NET/C# - NuGet packages and project files
• Nix - Nix package manager and build system
• PHP - Composer and PEAR packages
• Python - pip, Poetry, conda environments
• Red Hat - RPM package management
• Ruby - Gem and Bundler package management
• Rust - Cargo.toml and lock files
• Swift - Swift Package Manager
• And many others - Additional language support available

Specialized Workflows

There are some edge cases that require a little bit more orchestration. Manifest's goal is to automate the end-to-end SBOM process for analysis of software and AI risks. Some of these workflows currently require some user intervention or commands to unpack certain types of artifacts, and we provide guidance on how to do it in the following scenarios: