supabase · jfroche · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,8 @@
 # Binaries
 ubuntu-sbom
 sbom-merge
+ubuntu-nix-sbom
+ubuntu-sbom-arm64
 
 # SBOM outputs
 *.spdx.json
@@ -15,6 +17,11 @@ go.sum
 # Nix
 result
 result-*
+.envrc
+.direnv
+
+# Pre-commit
+.pre-commit-config.yaml
 
 # IDE
 .vscode/

diff --git a/README.md b/README.md
@@ -11,6 +11,36 @@ A comprehensive SBOM (Software Bill of Materials) generator for systems running
 - **License Detection**: Extracts license information from package metadata
 - **Package URLs (purl)**: Includes purl references for both deb and nix packages
 
+## Quick Run
+
+No installation required! Run directly from GitHub:
+
+### Generate Merged SBOM (Ubuntu + Nix)
+
+```bash
+# Generate combined SBOM for your system
+nix run --extra-experimental-features "nix-command flakes" github:supabase/ubuntu-nix-sbom#sbom-generator -- \
+  --nix-target /nix/var/nix/profiles/system \
+  --output system-sbom.json
+```
+
+### Generate Ubuntu-Only SBOM
+
+```bash
+# Scan only Ubuntu/Debian packages
+nix run --extra-experimental-features "nix-command flakes" github:supabase/ubuntu-nix-sbom#sbom-ubuntu -- \
+  --output ubuntu-sbom.json
+```
+
+### Generate Nix-Only SBOM
+
+```bash
+# Analyze a specific Nix derivation
+nix run --extra-experimental-features "nix-command flakes" github:supabase/ubuntu-nix-sbom#sbom-nix -- \
+  /nix/store/xxx-your-derivation \
+  --output nix-sbom.json
+```
+
 ## Prerequisites
 
 - Nix with flakes enabled
@@ -22,7 +52,7 @@ A comprehensive SBOM (Software Bill of Materials) generator for systems running
 Clone the repository and enter the development shell:
 
 ```bash
-git clone <repository-url>
+git clone https://github.com/supabase/ubuntu-nix-sbom
 cd ubuntu-nix-sbom
 nix develop
 ```
@@ -283,24 +313,54 @@ Both the PR check and release workflows automatically validate SPDX output:
 
 ## Development
 
+### Project Structure
+
+The project follows the standard Go project layout:
+
+```
+.
+├── internal/
+│   └── sbom/
+│       └── types.go           # Shared types and utilities (package sbom)
+├── cmd/
+│   ├── ubuntu-sbom/
+│   │   └── main.go            # Ubuntu SBOM generator binary
+│   └── sbom-merge/
+│       └── main.go            # SBOM merger binary
+├── flake.nix                  # Nix flake configuration
+└── go.mod                     # Go module (github.com/supabase/ubuntu-nix-sbom)
+```
+
+The `internal/` directory is a Go convention that prevents external packages from importing the code, ensuring the shared types remain internal to this project.
+
+### Development Environment
+
 Enter the development shell:
 
 ```bash
 nix develop
 ```
 
 This provides:
-- Go toolchain
+- Go toolchain (with Go modules support)
 - gopls (Go language server)
 - sbomnix
 - Formatting tools (nixfmt, shellcheck, shfmt, gofmt)
 - Pre-commit hooks (automatically installed)
 
+### Building Binaries
+
 Build the Go binaries manually:
 
 ```bash
-go build -o ubuntu-sbom main.go
-go build -o sbom-merge merge.go
+# Build Ubuntu SBOM generator
+go build -o ubuntu-sbom ./cmd/ubuntu-sbom
+
+# Build SBOM merger
+go build -o sbom-merge ./cmd/sbom-merge
+
+# Build both
+go build ./cmd/...
 ```
 
 ### Code Formatting

diff --git a/merge.go → cmd/sbom-merge/main.go b/merge.go → cmd/sbom-merge/main.go
@@ -9,9 +9,11 @@ import (
 	"regexp"
 	"strings"
 	"time"
+
+	"github.com/supabase/ubuntu-nix-sbom/internal/sbom"
 )
 
-func mainMerge() {
+func main() {
 	var (
 		ubuntuSBOM = flag.String("ubuntu", "", "Path to Ubuntu SBOM JSON file")
 		nixSBOM    = flag.String("nix", "", "Path to Nix SBOM JSON file")
@@ -38,7 +40,7 @@ func mainMerge() {
 
 type SBOMMerger struct{}
 
-func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*SPDXDocument, error) {
+func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*sbom.SPDXDocument, error) {
 	// Load Ubuntu SBOM
 	ubuntuDoc, err := m.loadDocument(ubuntuPath)
 	if err != nil {
@@ -52,23 +54,23 @@ func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*SPDXDocument, error) {
 	}
 
 	// Create merged document
-	mergedDoc := &SPDXDocument{
+	mergedDoc := &sbom.SPDXDocument{
 		SPDXVersion:       "SPDX-2.3",
 		DataLicense:       "CC0-1.0",
 		SPDXID:            "SPDXRef-DOCUMENT",
 		Name:              fmt.Sprintf("Ubuntu-Nix-System-SBOM-%s", time.Now().Format("2006-01-02")),
-		DocumentNamespace: fmt.Sprintf("https://sbom.ubuntu-nix.system/%s", generateUUID()),
-		CreationInfo: CreationInfo{
+		DocumentNamespace: fmt.Sprintf("https://sbom.ubuntu-nix.system/%s", sbom.GenerateUUID()),
+		CreationInfo: sbom.CreationInfo{
 			Created:            time.Now().UTC().Format(time.RFC3339),
 			Creators:           m.mergeCreators(ubuntuDoc, nixDoc),
 			LicenseListVersion: "3.20",
 		},
-		Packages:      []Package{},
-		Relationships: []Relationship{},
+		Packages:      []sbom.Package{},
+		Relationships: []sbom.Relationship{},
 	}
 
 	// Create the single root System package
-	systemPkg := Package{
+	systemPkg := sbom.Package{
 		SPDXID:           "SPDXRef-System",
 		Name:             "Ubuntu-Nix-System",
 		DownloadLocation: "NOASSERTION",
@@ -81,7 +83,7 @@ func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*SPDXDocument, error) {
 	mergedDoc.Packages = append(mergedDoc.Packages, systemPkg)
 
 	// Add document describes relationship
-	mergedDoc.Relationships = append(mergedDoc.Relationships, Relationship{
+	mergedDoc.Relationships = append(mergedDoc.Relationships, sbom.Relationship{
 		SPDXElementID:      "SPDXRef-DOCUMENT",
 		RelatedSPDXElement: "SPDXRef-System",
 		RelationshipType:   "DESCRIBES",
@@ -102,7 +104,7 @@ func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*SPDXDocument, error) {
 		mergedDoc.Packages = append(mergedDoc.Packages, pkg)
 
 		// Add relationship to system root
-		mergedDoc.Relationships = append(mergedDoc.Relationships, Relationship{
+		mergedDoc.Relationships = append(mergedDoc.Relationships, sbom.Relationship{
 			SPDXElementID:      "SPDXRef-System",
 			RelatedSPDXElement: pkg.SPDXID,
 			RelationshipType:   "CONTAINS",
@@ -127,7 +129,7 @@ func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*SPDXDocument, error) {
 		mergedDoc.Packages = append(mergedDoc.Packages, pkg)
 
 		// Add relationship to system root
-		mergedDoc.Relationships = append(mergedDoc.Relationships, Relationship{
+		mergedDoc.Relationships = append(mergedDoc.Relationships, sbom.Relationship{
 			SPDXElementID:      "SPDXRef-System",
 			RelatedSPDXElement: pkg.SPDXID,
 			RelationshipType:   "CONTAINS",
@@ -140,21 +142,21 @@ func (m *SBOMMerger) Merge(ubuntuPath, nixPath string) (*SPDXDocument, error) {
 	return mergedDoc, nil
 }
 
-func (m *SBOMMerger) loadDocument(path string) (*SPDXDocument, error) {
+func (m *SBOMMerger) loadDocument(path string) (*sbom.SPDXDocument, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
 
-	var doc SPDXDocument
+	var doc sbom.SPDXDocument
 	if err := json.Unmarshal(data, &doc); err != nil {
 		return nil, err
 	}
 
 	return &doc, nil
 }
 
-func (m *SBOMMerger) mergeCreators(ubuntuDoc, nixDoc *SPDXDocument) []string {
+func (m *SBOMMerger) mergeCreators(ubuntuDoc, nixDoc *sbom.SPDXDocument) []string {
 	creatorMap := make(map[string]bool)
 	var creators []string
 
@@ -196,7 +198,7 @@ func (m *SBOMMerger) renumberSPDXID(originalID, prefix string) string {
 	return fmt.Sprintf("SPDXRef-%s-%s", prefix, strings.TrimPrefix(originalID, "SPDXRef-"))
 }
 
-func (m *SBOMMerger) Save(doc *SPDXDocument, outputPath string) error {
+func (m *SBOMMerger) Save(doc *sbom.SPDXDocument, outputPath string) error {
 	file, err := os.Create(outputPath)
 	if err != nil {
 		return err