Medical device companies spend $50K–$200K per year on tools that translate vulnerability scans into FDA-acceptable documentation. Small teams with no budget? They spend 40–80 hours per device doing it manually in spreadsheets. I built the free alternative and shipped it in a day.
"One command. Audit-ready FDA docs in seconds. Free forever."
The Problem I Solved
The FDA's 2023 cybersecurity guidance, the PATCH Act, and the 2026 QMSR transition all require device makers to maintain a Software Bill of Materials (SBOM), monitor components for vulnerabilities, and produce documented evidence of regular review per IEC 62304 §7.1.3.
Generic tools like Syft, Grype, and Trivy generate SBOMs and flag CVEs — but none of them speak the regulatory language. Teams manually translate raw scan output into FDA-shaped documentation. It's slow, expensive, and error-prone. Paid platforms (Ketryx, Cybellum, MedCrypt) charge enterprise prices to solve this.
There was no free, open-source project that closed this gap. Until now.
What MedSBOM Does
MedSBOM is a thin compliance layer that sits on top of existing scanners and outputs FDA-submission-ready documents:
# Check your device SBOM for vulnerabilities + EOL status
medsbom check firmware.sbom.json --device "Insulin Pump" --device-version "2.3.1"
# Generate all compliance documents in one command
medsbom report firmware.sbom.json --format all --output ./fda-submission/
This produces three audit-ready documents:
- FDA Premarket Cybersecurity Summary — maps to the 2023 guidance structure
- IEC 62304 SOUP Risk Assessment — full component register with risk levels
- Vulnerability Review Log — timestamped evidence for auditors
How It Works Under the Hood
The Engine Pipeline
1. Ingest → Parse CycloneDX or SPDX JSON (from Syft, Trivy, any scanner)
2. CVE Match → Cross-reference against NVD API + CISA KEV (actively exploited vulns)
3. EOL Check → Query endoflife.date for end-of-support dates
4. Risk Score → Composite: CVSS severity × 0.5 + KEV flag × 0.3 + EOL proximity × 0.2
5. Document Gen → Jinja2 templates render regulatory-formatted Markdown/PDF
6. Audit Trail → Append-only SQLite with tamper-prevention triggers
The Technical Decisions That Matter
| Decision | Why |
|---|---|
| Apache 2.0 license | Patent grant — medtech legal teams are allergic to GPL |
| SQLite audit trail with UPDATE/DELETE triggers | Proves immutability for regulatory audits |
| Network blocker in test suite | No test can ever hit real APIs — caught a CI failure caused by NVD rate-limiting on GitHub Actions |
| JSON string detection before Path.exists() | Linux throws OSError on long strings; Windows silently returns False |
| Risk scoring formula is documented and transparent | Auditors need to understand HOW you scored risk, not just the result |
| Regulatory disclaimer in every generated document | This is a draft tool, not legal advice — trust boundary is explicit |
The Shipping Journey
Built and shipped in a single session:
- Scaffolded full project structure — CLI, API, core engine, templates, tests, Docker, CI
- Wrote 206 tests covering positive, negative, and edge cases for every module
- Ran Bandit security scan — zero findings across 1,462 lines
- Fixed CI failures caused by Linux platform differences (Path handling, NVD rate limits)
- Published to PyPI, created GitHub Release v0.1.0
What This Replaces
| Without MedSBOM | With MedSBOM |
|---|---|
| 40–80 hours per device per cycle | ~2 minutes |
| $50K–$200K/year for paid tools | Free, forever |
| Manual CVE lookup + Excel | Automated NVD + KEV + EOL |
| No audit trail | Immutable, append-only log |
| Inconsistent document format | Standardized FDA/IEC templates |
Who It's For
- Small/mid medical device teams (no budget for Ketryx/Cybellum)
- Open-source medical device projects (OpenAPS, Loop, imaging software)
- Regulatory consultants demoing compliance quickly
- Security researchers auditing device fleets
What I Learned
The hardest part wasn't the code — it was the platform differences. A single Path(json_string).exists() call works fine on Windows (returns False) but throws OSError: File name too long on Linux. Tests that accidentally make real HTTP requests pass locally but timeout on CI runners where NVD rate-limits aggressively.
The lesson: if your test suite can reach the internet, it will eventually fail in CI. Block all network access by default, mock explicitly.
"The same rigor that ensures a medical device is safe for patients — risk-based thinking, documented evidence, shift-left verification — is exactly what makes a compliance tool trustworthy."
Try MedSBOM
Install in 10 seconds. Generate FDA docs in 2 minutes.
Install from PyPI → View on GitHub →