CycloneDX is one of the most widely supported SBOM formats. This guide shows you exactly how to export a CycloneDX SBOM from any project using the Vibgrate CLI, what the resulting file is, and how to verify it. It is written for developers producing their first SBOM.
Prerequisites
- The Vibgrate CLI installed, or use the no-install form with
npx. - A project with a recognized lockfile or manifest (for example
package-lock.json,pnpm-lock.yaml, a.csproj,requirements.txt, and more).
Step 1 — Run the export
From the root of your project, run:
vg sbom export --format cyclonedx --out sbom.cdx.json
This tells the CLI to produce a CycloneDX document (--format cyclonedx) and write it to sbom.cdx.json (--out). The command reads your dependency graph from the current directory; you do not pass a path.
To try it without installing anything first:
npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
Step 2 — Inspect the result
The output is a JSON file. Open it and you will find a components array — each entry is a dependency Vibgrate discovered, with its name, version, and (where known) license and a Package URL. The document header records the format version so downstream tools know how to parse it.
Step 3 — Use the file
The SBOM is now a normal artifact you can:
- Attach to a GitHub or GitLab release.
- Feed into a vulnerability scanner or license checker.
- Store for audit evidence.
- Push to Vibgrate Cloud alongside your scan results.
Choosing an output path
The --out value is just a file path. A common convention is to suffix CycloneDX JSON files with .cdx.json so they are easy to recognize, but you can name the file whatever your pipeline expects.
Defaults and short form
If you run vg sbom export without flags, the CLI still produces an SBOM; specifying --format and --out makes the output explicit and reproducible, which is what you want in automation. For interactive exploration, vg sbom on its own is the starting point.
Troubleshooting
- Empty or small component list? Make sure you run the command from the directory that contains your lockfile, and that dependencies are installed/resolved.
- Unexpected format? Double-check the
--formatvalue iscyclonedx(usespdxfor SPDX output).
Related
- "SBOM Formats Supported by Vibgrate CLI" compares CycloneDX, SPDX, and OpenVEX.
- "Reading and Understanding Vibgrate SBOM Output" explains the fields in the file.
- "Generate an SBOM in Your CI Pipeline" automates this step.