Skip to main content

Export a CycloneDX SBOM with Vibgrate CLI

Use Vibgrate CLI to export a CycloneDX SBOM from your project to a file in a single command. The SBOM inventories every shipped component for sharing, audit, and downstream tooling.

Difficulty
Beginner
Duration
12 minutes
Steps
5

An SBOM (Software Bill of Materials) is a machine-readable inventory of every component your software ships. CycloneDX is one of the two leading SBOM standards, and Vibgrate CLI can export one directly from your project. This tutorial walks through producing a CycloneDX SBOM and saving it to a file.

Prerequisites

  • Node.js installed
  • A project with a dependency manifest (such as package.json, requirements.txt, or a lockfile)

Steps

1. Install the Vibgrate CLI

Install globally so the vg binary is on your PATH:

npm i -g @vibgrate/cli

Prefer not to install? Use the no-install form for any command shown below by replacing vg with npx @vibgrate/cli.

2. Run a baseline scan

From your project root, run a scan so Vibgrate has fresh artifacts to draw from:

vg

Bare vg scans the current directory and reports your DriftScore (0-100) along with the dependency inventory the SBOM is built from.

3. Export the CycloneDX SBOM

Export the SBOM in CycloneDX format and write it to a file:

vg sbom export --format cyclonedx --out sbom.cdx.json

This produces sbom.cdx.json in your working directory: a complete CycloneDX document listing each component, its version, and metadata.

4. Inspect the output file

Open sbom.cdx.json. You will see the CycloneDX structure with a components array enumerating your dependencies. This file is the artifact you share with auditors, attach to releases, or feed into downstream supply-chain tooling.

5. Verify the SBOM is valid

Confirm the file is well-formed JSON:

node -e "JSON.parse(require('fs').readFileSync('sbom.cdx.json','utf8')); console.log('valid JSON')"

A clean parse means the SBOM is ready to consume.

Verification

The command exits 0 on success and the file sbom.cdx.json exists with a populated components list. If you need the SPDX standard instead, vg sbom also supports SPDX output and OpenVEX documents.

Next Steps

Automate this in CI so every build emits a fresh SBOM, and attach the resulting file to your releases for downstream consumers.

Prerequisites

  • Node.js installed
  • A project with a dependency manifest

Steps

  • 1
    Install the Vibgrate CLI
  • 2
    Run a baseline scan
  • 3
    Export the CycloneDX SBOM
  • 4
    Inspect the output file
  • 5
    Verify the SBOM is valid

Category

Vibgrate