Export a CycloneDX SBOM with Vibgrate CLI
Use Vibgrate CLI to export a CycloneDX SBOM from your project to a file in a single command. The SBOM inventories every shipped component for sharing, audit, and downstream tooling.
An SBOM (Software Bill of Materials) is a machine-readable inventory of every component your software ships. CycloneDX is one of the two leading SBOM standards, and Vibgrate CLI can export one directly from your project. This tutorial walks through producing a CycloneDX SBOM and saving it to a file.
Prerequisites
- Node.js installed
- A project with a dependency manifest (such as
package.json,requirements.txt, or a lockfile)
Steps
1. Install the Vibgrate CLI
Install globally so the vg binary is on your PATH:
npm i -g @vibgrate/cli
Prefer not to install? Use the no-install form for any command shown below by replacing vg with npx @vibgrate/cli.
2. Run a baseline scan
From your project root, run a scan so Vibgrate has fresh artifacts to draw from:
vg
Bare vg scans the current directory and reports your DriftScore (0-100) along with the dependency inventory the SBOM is built from.
3. Export the CycloneDX SBOM
Export the SBOM in CycloneDX format and write it to a file:
vg sbom export --format cyclonedx --out sbom.cdx.json
This produces sbom.cdx.json in your working directory: a complete CycloneDX document listing each component, its version, and metadata.
4. Inspect the output file
Open sbom.cdx.json. You will see the CycloneDX structure with a components array enumerating your dependencies. This file is the artifact you share with auditors, attach to releases, or feed into downstream supply-chain tooling.
5. Verify the SBOM is valid
Confirm the file is well-formed JSON:
node -e "JSON.parse(require('fs').readFileSync('sbom.cdx.json','utf8')); console.log('valid JSON')"
A clean parse means the SBOM is ready to consume.
Verification
The command exits 0 on success and the file sbom.cdx.json exists with a populated components list. If you need the SPDX standard instead, vg sbom also supports SPDX output and OpenVEX documents.
Next Steps
Automate this in CI so every build emits a fresh SBOM, and attach the resulting file to your releases for downstream consumers.