Skip to main content
vet supports CycloneDX v1.6 SBOM generation. The generated SBOM lists all packages and their dependencies, including security metadata: detected vulnerabilities, malware, and license information.

Quick Start

Generate an SBOM with a custom application name: 
vet scan -D /path/to/project \
  --report-cdx report.cdx.json \
  --report-cdx-app-name myproject
The --report-cdx-app-name parameter is optional. If omitted, Vet will use a default application name.

What’s Included in the SBOM

The generated CycloneDX SBOM contains:

Package Inventory

Complete list of all direct and transitive dependencies

Vulnerability Data

Known vulnerabilities from OSV database and other sources

License Information

License identifiers and compliance data for each component

Malware Detection

Results from malware analysis and threat detection

Advanced Usage

Custom Application Metadata

Provide detailed metadata about your application: 
vet scan -D /path/to/project \
  --report-cdx myapp-v1.2.3.cdx.json \
  --report-cdx-app-name "MyApplication"

Combined with Other Reports

Generate multiple report formats simultaneously: 
vet scan -D /path/to/project \
  --report-cdx sbom.cdx.json \
  --report-json results.json \
  --report-markdown report.md \
  --report-cdx-app-name "production-app"

Integration with CI/CD

name: Generate SBOM
on: [push, pull_request]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Generate SBOM
        run: |
          docker run --rm -v "$PWD:/app" ghcr.io/safedep/vet:latest \
            scan -D /app \
            --report-cdx /app/sbom.cdx.json \
            --report-cdx-app-name "${{ github.repository }}"

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.cdx.json

Sample SBOMs

Chat Server SBOM

Example SBOM for a Node.js chat application

Express.js SBOM

Example SBOM for an Express.js web application

SBOM Analysis and Consumption

Viewing SBOM Content

Install the CycloneDX CLI (a .NET global tool) to validate and convert your SBOM: 
dotnet tool install --global CycloneDX

# Validate SBOM
cyclonedx validate --input-file sbom.cdx.json

# Convert to other formats
cyclonedx convert --input-file sbom.cdx.json --output-file sbom.xml --output-format xml

Integration with Security Tools

Many security tools can consume CycloneDX SBOMs:
  • Dependency Track: Import SBOMs for vulnerability monitoring
  • FOSSA: License compliance analysis
  • Snyk: Security scanning and monitoring
  • JFrog Xray: Artifact analysis and security scanning

Naming Convention

Use a consistent pattern for SBOM filenames: 
{app-name}-{version}-{environment}.cdx.json
myapp-1.2.3-production.cdx.json

Troubleshooting

For projects with many dependencies, SBOMs can become large. Consider:
  • Filtering out development dependencies in production SBOMs
  • Using compressed storage formats
  • Implementing SBOM splitting for microservices
If components are missing from your SBOM:
  • Ensure all package manifest files are included in the scan
  • Check that Vet supports your package manager
  • Verify dependencies are properly declared in manifest files
If SBOM validation fails:
  • Check the CycloneDX schema version compatibility
  • Verify all required fields are present
  • Use cyclonedx-cli for detailed validation errors

CycloneDX Documentation

Learn more about the CycloneDX v1.6 JSON specification

Vet Repository

Explore Vet’s complete SBOM generation capabilities

Dependency Inventory

Learn how to create accurate dependency inventories