[hrpnk]

You can use Syft [1] which generates the full software bill of materials, which includes package names, licenses for a broad set of tech stack ranging from OS level (Alpine, Debian), through Go, Ruby, Python, Java, JavaScript, etc.

[1] https://github.com/anchore/syft

[woodruffw]

Since this is about Python specifically, I'll go ahead and and highlight `pip-audit`[1] as a specialized tool for generating Python SBOMs and running audits against the official PyPI vulnerability feed.

FD: My company, my work.

[1]: https://github.com/trailofbits/pip-audit