Export an SBOM per Package in a Monorepo
Use the --cwd flag to scan each monorepo package individually and export a per-package CycloneDX SBOM, scripting the loop across all workspaces for precise inventories.
In a monorepo, one repository-wide SBOM can obscure which package owns which dependency. Generating a separate SBOM per package gives each one a precise inventory. This tutorial scans and exports an SBOM for each workspace package using the --cwd flag to target each directory.
Prerequisites
- A monorepo with multiple packages
- Node.js installed
Steps
1. Install the CLI
npm i -g @vibgrate/cli
2. Scan a single package
Target one package directory with --cwd:
vg scan --cwd packages/api
This scans only that package, reporting its own DriftScore and dependency inventory.
3. Export that package's SBOM
Export a CycloneDX SBOM for the package, writing to a name that identifies it:
vg sbom export --format cyclonedx --out sbom-api.cdx.json --cwd packages/api
4. Loop over all packages
Script the same two commands across every package directory:
for pkg in packages/*; do
name=$(basename "$pkg")
vg scan --cwd "$pkg"
vg sbom export --format cyclonedx --out "sbom-$name.cdx.json" --cwd "$pkg"
done
Each iteration produces a sbom-<name>.cdx.json scoped to one package.
5. Collect the SBOMs
Gather the per-package SBOM files into one directory or attach them to the release so each component has its own inventory.
Verification
Each package scan exits 0 and produces a distinct sbom-<name>.cdx.json whose components match that package's dependencies, not the whole repo.
Next Steps
Wire the loop into CI so per-package SBOMs are produced on every build, and push each scan to Vibgrate Cloud for per-package trend tracking.