A command-line tool for interacting with the Trustify API. Built for DevSecOps teams who need to keep their software supply chain clean and organized.
# Set up your credentials once
cat > .env << EOF
TRUSTIFY_URL=https://trustify.example.com
TRUSTIFY_SSO_URL=https://sso.example.com/realms/trustify
TRUSTIFY_CLIENT_ID=my-client
TRUSTIFY_CLIENT_SECRET=my-secret
EOF
# Find all duplicate SBOMs (same document_id, different versions)
trustify sbom duplicates find
# Preview what would be deleted
trustify sbom duplicates delete --dry-run
# Clean them up!
trustify sbom duplicates deleteResult: Thousands of duplicate SBOMs cleaned up in seconds with concurrent API requests and automatic retry handling.
- 🔍 Duplicate detection — Find and remove duplicate SBOMs by document ID
- 🔐 Seamless auth — OAuth2 with automatic token refresh
- 🔄 Resilient — Auto-retry on timeouts and transient failures
- 📦 SBOM management — List, get, and delete with flexible output formats
# Clone the repository
git clone https://github.com/ruromero/trustify-cli.git
cd trustify-cli
# Build
cargo build --release
# The binary will be at ./target/release/trustify# Use your .env file with the container
docker run --rm --env-file .env ghcr.io/ruromero/trustify-cli sbom list
# For commands that write files, mount a volume
docker run --rm --env-file .env -v $(pwd):/data \
ghcr.io/ruromero/trustify-cli sbom duplicates find --output /data/duplicates.jsonCreate a .env file in your working directory:
TRUSTIFY_URL=https://trustify.example.com
TRUSTIFY_SSO_URL=https://sso.example.com/realms/trustify
TRUSTIFY_CLIENT_ID=my-client
TRUSTIFY_CLIENT_SECRET=my-secretThat's it! The CLI automatically loads credentials and handles OAuth2 token management.
Tip: You can also use CLI arguments (
-u,--sso-url, etc.) or shell environment variables. CLI args take priority over env vars, which take priority over.envfiles.
-u, --url <URL> Trustify API URL (required)
--sso-url <SSO_URL> SSO URL for authentication
--client-id <CLIENT_ID> OAuth2 Client ID
--client-secret <CLIENT_SECRET> OAuth2 Client Secret
-h, --help Print help
-V, --version Print version
Get an OAuth2 access token for use with other tools.
TOKEN=$(trustify auth token)
curl -H "Authorization: Bearer $TOKEN" $TRUSTIFY_URL/api/v2/sbomGet an SBOM by ID (returns raw JSON).
trustify sbom get urn:uuid:abc123List SBOMs with filtering, pagination, and output formatting.
trustify sbom list # Full JSON
trustify sbom list --format id # Just IDs
trustify sbom list --query "name=my-app" # Filter by name
trustify sbom list --limit 10 --offset 20 # Pagination
trustify sbom list --sort "published:desc" # Sort by dateFormat options: id | name | short | full (default)
Delete an SBOM by ID.
trustify sbom delete --id urn:uuid:abc123
trustify sbom delete --id urn:uuid:abc123 --dry-run # Preview onlyScan all SBOMs and find duplicates by document_id. Keeps the most recent version, marks others as duplicates.
trustify sbom duplicates find # Default: 4 workers, saves to duplicates.json
trustify sbom duplicates find -j 8 # Faster with 8 concurrent workers
trustify sbom duplicates find -b 500 -j 8 # Larger batches + more workers
trustify sbom duplicates find --output out.json # Custom output fileOutput file format:
[
{
"document_id": "urn:example:sbom-1.0",
"id": "abc123", // ← Keep this one (most recent)
"published": "2025-01-10T12:00:00Z",
"duplicates": ["def456", "ghi789"] // ← Delete these
}
]Delete the duplicates found by find. Always preview with --dry-run first!
trustify sbom duplicates delete --dry-run # Preview what will be deleted
trustify sbom duplicates delete # Delete all duplicates
trustify sbom duplicates delete -j 16 # Faster with 16 concurrent requests
trustify sbom duplicates delete --input out.json # Use custom input file