← Back to Blog
Launch July 2026 10 min read

MedSBOM — I Built the Missing Open-Source FDA Compliance Tool and Shipped It to PyPI

Medical device companies spend $50K–$200K per year on tools that translate vulnerability scans into FDA-acceptable documentation. Small teams with no budget? They spend 40–80 hours per device doing it manually in spreadsheets. I built the free alternative and shipped it in a day.

"One command. Audit-ready FDA docs in seconds. Free forever."
206
Tests Passing
99%
Code Coverage
0
Security Issues
3s
Full Test Suite

The Problem I Solved

The FDA's 2023 cybersecurity guidance, the PATCH Act, and the 2026 QMSR transition all require device makers to maintain a Software Bill of Materials (SBOM), monitor components for vulnerabilities, and produce documented evidence of regular review per IEC 62304 §7.1.3.

Generic tools like Syft, Grype, and Trivy generate SBOMs and flag CVEs — but none of them speak the regulatory language. Teams manually translate raw scan output into FDA-shaped documentation. It's slow, expensive, and error-prone. Paid platforms (Ketryx, Cybellum, MedCrypt) charge enterprise prices to solve this.

There was no free, open-source project that closed this gap. Until now.

What MedSBOM Does

MedSBOM is a thin compliance layer that sits on top of existing scanners and outputs FDA-submission-ready documents:

# Check your device SBOM for vulnerabilities + EOL status
medsbom check firmware.sbom.json --device "Insulin Pump" --device-version "2.3.1"

# Generate all compliance documents in one command
medsbom report firmware.sbom.json --format all --output ./fda-submission/

This produces three audit-ready documents:

How It Works Under the Hood

The Engine Pipeline

1. Ingest → Parse CycloneDX or SPDX JSON (from Syft, Trivy, any scanner)

2. CVE Match → Cross-reference against NVD API + CISA KEV (actively exploited vulns)

3. EOL Check → Query endoflife.date for end-of-support dates

4. Risk Score → Composite: CVSS severity × 0.5 + KEV flag × 0.3 + EOL proximity × 0.2

5. Document Gen → Jinja2 templates render regulatory-formatted Markdown/PDF

6. Audit Trail → Append-only SQLite with tamper-prevention triggers

The Technical Decisions That Matter

DecisionWhy
Apache 2.0 licensePatent grant — medtech legal teams are allergic to GPL
SQLite audit trail with UPDATE/DELETE triggersProves immutability for regulatory audits
Network blocker in test suiteNo test can ever hit real APIs — caught a CI failure caused by NVD rate-limiting on GitHub Actions
JSON string detection before Path.exists()Linux throws OSError on long strings; Windows silently returns False
Risk scoring formula is documented and transparentAuditors need to understand HOW you scored risk, not just the result
Regulatory disclaimer in every generated documentThis is a draft tool, not legal advice — trust boundary is explicit

The Shipping Journey

Built and shipped in a single session:

  1. Scaffolded full project structure — CLI, API, core engine, templates, tests, Docker, CI
  2. Wrote 206 tests covering positive, negative, and edge cases for every module
  3. Ran Bandit security scan — zero findings across 1,462 lines
  4. Fixed CI failures caused by Linux platform differences (Path handling, NVD rate limits)
  5. Published to PyPI, created GitHub Release v0.1.0

What This Replaces

Without MedSBOMWith MedSBOM
40–80 hours per device per cycle~2 minutes
$50K–$200K/year for paid toolsFree, forever
Manual CVE lookup + ExcelAutomated NVD + KEV + EOL
No audit trailImmutable, append-only log
Inconsistent document formatStandardized FDA/IEC templates

Who It's For

What I Learned

The hardest part wasn't the code — it was the platform differences. A single Path(json_string).exists() call works fine on Windows (returns False) but throws OSError: File name too long on Linux. Tests that accidentally make real HTTP requests pass locally but timeout on CI runners where NVD rate-limits aggressively.

The lesson: if your test suite can reach the internet, it will eventually fail in CI. Block all network access by default, mock explicitly.

"The same rigor that ensures a medical device is safe for patients — risk-based thinking, documented evidence, shift-left verification — is exactly what makes a compliance tool trustworthy."

Try MedSBOM

Install in 10 seconds. Generate FDA docs in 2 minutes.

Install from PyPI → View on GitHub →

Links