This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

cdxgen

    cdxgen is an open source SBOM generation tool managed by OWASP (Open Web Application Security Project). It analyzes source code, build artifacts, and container images to automatically generate SBOMs in CycloneDX format.

    Features

    • Wide language and ecosystem support: Java (Maven/Gradle), Node.js, Python, Go, Rust, PHP, Ruby, .NET, and 20+ more
    • Multiple scan targets: Source code directories, container images, GitHub repositories
    • CycloneDX standard output: Supports CycloneDX 1.4/1.5/1.6 in JSON and XML formats
    • REPL mode: Interactive interface for exploring and querying SBOMs
    • CI/CD integration: Easy integration with GitHub Actions, GitLab CI, and other major pipelines

    Installation

    Install with Node.js 18 or later:

    npm install -g @cyclonedx/cdxgen

    Or use the Docker image:

    docker pull ghcr.io/cyclonedx/cdxgen

    Basic Usage

    (1) Scan a Source Code Directory

    # Scan current directory and generate CycloneDX JSON SBOM
cdxgen -o sbom.json .

# Specify language if auto-detection fails
cdxgen -t java -o sbom.json /path/to/project

    (2) Scan a Container Image

    cdxgen -t docker -o sbom.json ubuntu:22.04

    (3) Scan a GitHub Repository

    cdxgen -t github -o sbom.json https://github.com/org/repo

    (4) Explore SBOM in REPL Mode

    cdxgen --repl -o sbom.json .

    CI/CD Integration Example

    # GitHub Actions example
- name: Generate SBOM with cdxgen
  run: |
    npm install -g @cyclonedx/cdxgen
    cdxgen -o sbom.json .
- name: Upload SBOM
  uses: actions/upload-artifact@v4
  with:
    name: sbom
    path: sbom.json

    References