SBOM Coverage for PyPI Packages
Detected by parsing file content (not file extensions)
Schema validation against CycloneDX / SPDX specs
File format breakdown (JSON, XML, tag-value)
Sigstore-based provenance verification per wheel
CI/CD platform that signed the attestation
| Package | Version | Platform | SBOM | Time |
|---|
Each package version ships multiple wheels (one per platform/Python version). This shows SBOM coverage at the individual wheel level.
The Transparency Exchange API (TEA) is an open standard for discovering SBOMs. You can query this server using tea-cli:
# Install the TEA CLI
$ pip install libtea[cli]
# Inspect a PyPI package — discovers SBOMs via TEA in one shot
$ tea-cli inspect "urn:tei:purl:pypi.sbomify.com:pkg:pypi/[email protected]"
# Search for a specific package version by PURL
$ tea-cli search-releases --id-type PURL \
--id-value "pkg:pypi/[email protected]" --domain pypi.sbomify.com
# Filter by platform — only get SBOMs for Linux x86_64 wheels
$ tea-cli search-releases --id-type PURL \
--id-value "pkg:pypi/[email protected]?os=linux&arch=x86_64" --domain pypi.sbomify.com
Also available as a Python library:
from libtea import TeaClient
Platform filtering: Add ?os=linux&arch=x86_64 qualifiers to a PURL to get SBOMs only for matching wheels.
Supported OS values: linux, darwin/macos, windows.
Supported arch values: x86_64/amd64, aarch64/arm64, i686, ppc64le, s390x.
Pure-python wheels are always included.