vet supports CycloneDX v1.6 SBOM generation. The generated SBOM provides a comprehensive inventory of all packages and their dependencies in your project, including security metadata like detected vulnerabilities, malware, and license information.

​

Quick Start

Generate an SBOM with a custom application name:

vet scan --report-cdx path/to/report.cdx.json \
         --report-cdx-app-name myproject

​

What’s Included in the SBOM

The generated CycloneDX SBOM contains comprehensive information about your software supply chain:

​

Advanced Usage

​

Custom Application Metadata

Provide detailed metadata about your application:

vet scan -D /path/to/project \
  --report-cdx myapp-v1.2.3.cdx.json \
  --report-cdx-app-name "MyApplication" \
  --report-cdx-app-version "1.2.3"

​

Combined with Other Reports

Generate multiple report formats simultaneously:

vet scan -D /path/to/project \
  --report-cdx sbom.cdx.json \
  --report-json results.json \
  --report-markdown report.md \
  --report-cdx-app-name "production-app"

​

Integration with CI/CD

name: Generate SBOM
on: [push, pull_request]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Generate SBOM
        uses: safedep/vet-action@v1
        with:
          scan-dir: '.'
          report-cdx: 'sbom.cdx.json'
          app-name: ${{ github.repository }}
          
      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.cdx.json

name: Generate SBOM
on: [push, pull_request]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Generate SBOM
        uses: safedep/vet-action@v1
        with:
          scan-dir: '.'
          report-cdx: 'sbom.cdx.json'
          app-name: ${{ github.repository }}
          
      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.cdx.json

generate-sbom:
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . 
        --report-cdx sbom.cdx.json 
        --report-cdx-app-name $CI_PROJECT_NAME
  artifacts:
    reports:
      cyclonedx: sbom.cdx.json
    paths:
      - sbom.cdx.json
    expire_in: 30 days

​

Sample SBOMs

Explore example SBOMs to understand the format and content:

​

SBOM Analysis and Consumption

​

Viewing SBOM Content

Use standard CycloneDX tools to analyze your SBOM:

# Using cyclonedx-cli (install via npm)
npm install -g @cyclonedx/cli

# Validate SBOM
cyclonedx validate --input-file sbom.cdx.json

# Convert to other formats
cyclonedx convert --input-file sbom.cdx.json --output-file sbom.xml --output-format xml

​

Integration with Security Tools

Many security tools can consume CycloneDX SBOMs:

• Dependency Track: Import SBOMs for vulnerability monitoring
• FOSSA: License compliance analysis
• Snyk: Security scanning and monitoring
• JFrog Xray: Artifact analysis and security scanning

​

Policy Enforcement

Use SBOMs with policy engines for compliance:

# Example with Open Policy Agent (OPA)
opa eval --data policy.rego --input sbom.cdx.json "data.sbom.allow"

​

Best Practices

​

Compliance and Standards

​

NTIA Minimum Elements

The generated SBOMs include all NTIA minimum elements:

• Data Fields: Supplier name, component name, version, unique identifier, dependency relationships, author of SBOM data, timestamp
• Automation Support: Machine-readable format with well-defined schema
• Practices and Processes: Consistent generation methodology

​

Executive Order 14028

SBOMs generated by vet help organizations comply with Executive Order 14028 requirements for software supply chain security.

​

Troubleshooting