vet supports CycloneDX v1.6 SBOM generation. The generated SBOM provides a comprehensive inventory of all packages and their dependencies in your project, including security metadata like detected vulnerabilities, malware, and license information.

Quick Start

Generate an SBOM with a custom application name: 
vet scan --report-cdx path/to/report.cdx.json \
         --report-cdx-app-name myproject
The --report-cdx-app-name parameter is optional. If omitted, vet will use a default application name.

What’s Included in the SBOM

The generated CycloneDX SBOM contains comprehensive information about your software supply chain:

Package Inventory

Complete list of all direct and transitive dependencies

Vulnerability Data

Known vulnerabilities from OSV database and other sources

License Information

License identifiers and compliance data for each component

Malware Detection

Results from malware analysis and threat detection

Advanced Usage

Custom Application Metadata

Provide detailed metadata about your application: 
vet scan -D /path/to/project \
  --report-cdx myapp-v1.2.3.cdx.json \
  --report-cdx-app-name "MyApplication" \
  --report-cdx-app-version "1.2.3"

Combined with Other Reports

Generate multiple report formats simultaneously: 
vet scan -D /path/to/project \
  --report-cdx sbom.cdx.json \
  --report-json results.json \
  --report-markdown report.md \
  --report-cdx-app-name "production-app"

Integration with CI/CD

name: Generate SBOM
on: [push, pull_request]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Generate SBOM
        uses: safedep/vet-action@v1
        with:
          scan-dir: '.'
          report-cdx: 'sbom.cdx.json'
          app-name: ${{ github.repository }}
          
      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.cdx.json

Sample SBOMs

Explore example SBOMs to understand the format and content:

Chat Server SBOM

Example SBOM for a Node.js chat application

Express.js SBOM

Example SBOM for an Express.js web application

SBOM Analysis and Consumption

Viewing SBOM Content

Use standard CycloneDX tools to analyze your SBOM: 
# Using cyclonedx-cli (install via npm)
npm install -g @cyclonedx/cli

# Validate SBOM
cyclonedx validate --input-file sbom.cdx.json

# Convert to other formats
cyclonedx convert --input-file sbom.cdx.json --output-file sbom.xml --output-format xml

Integration with Security Tools

Many security tools can consume CycloneDX SBOMs:
  • Dependency Track: Import SBOMs for vulnerability monitoring
  • FOSSA: License compliance analysis
  • Snyk: Security scanning and monitoring
  • JFrog Xray: Artifact analysis and security scanning

Policy Enforcement

Use SBOMs with policy engines for compliance: 
# Example with Open Policy Agent (OPA)
opa eval --data policy.rego --input sbom.cdx.json "data.sbom.allow"

Best Practices

Compliance and Standards

NTIA Minimum Elements

The generated SBOMs include all NTIA minimum elements:
  • Data Fields: Supplier name, component name, version, unique identifier, dependency relationships, author of SBOM data, timestamp
  • Automation Support: Machine-readable format with well-defined schema
  • Practices and Processes: Consistent generation methodology

Executive Order 14028

SBOMs generated by vet help organizations comply with Executive Order 14028 requirements for software supply chain security.

Troubleshooting

CycloneDX Documentation

Learn more about the CycloneDX v1.6 JSON specification

vet Repository

Explore vet’s complete SBOM generation capabilities

NTIA SBOM Guide

Understanding SBOM minimum elements and best practices

Dependency Inventory

Learn how to create accurate dependency inventories