Open-source maintainer focused on system transparency and software supply-chain security.
Project Co-Lead of OWASP CycloneDX, working on the specification and tooling ecosystem.
Helping software systems explain what they actually contain — instead of everyone guessing and hoping for the best.
I contribute to the CycloneDX specification and maintain tooling that generates CycloneDX SBOMs and other system transparency artifacts across multiple ecosystems.
CycloneDX goes beyond traditional Software Bills of Materials (SBOMs) and supports system transparency across modern software supply chains.
My tools support projects built with:
- Python (Poetry, Pipenv, uv, PDM, Conda, etc)
- Node.js (npm, yarn)
- PHP (Composer)
- build systems such as webpack, esbuild, and bun-build
Helping developers and organizations understand what actually runs inside their software — which turns out to be surprisingly non-trivial.
| Project | Ecosystem | Description |
|---|---|---|
| cyclonedx-python | Python | Generate CycloneDX SBOMs for everything python |
| cyclonedx-python-lib | Python | CycloneDX library |
| cyclonedx-node-npm | Node.js | Generate CycloneDX SBOMs for npm |
| cyclonedx-node-yarn | Node.js | Generate CycloneDX SBOMs for yarn |
| cyclonedx-webpack-plugin | Webpack | SBOM generation during builds with Webpack |
| cyclonedx-esbuild | esbuild & Bun | SBOM generation during builds with esbuild-compatible systems |
| cyclonedx-javascript-library | JavaScript/TypeScript | CycloneDX library |
| cyclonedx-php-composer | PHP | Generate CycloneDX SBOMs for Composer |
| cyclonedx-php-library | PHP | CycloneDX library |
| packageurl-php | PHP | PackageURL library |
| serializable | Python | Serialization utilities |
If you rely on the tools or libraries I maintain, consider sponsoring the work.
Because servers, CI pipelines, dependency updates, and security fixes unfortunately are not powered by appreciation alone.
… those dumb metrics that barely mean anything …