Skip to content
Latchkey

How to Generate a CycloneDX SBOM for a Node Project With cdxgen

cdxgen reads the lockfile to produce a CycloneDX SBOM covering direct and transitive dependencies.

Install @cyclonedx/cdxgen and run it against the project root. It resolves the dependency graph from package-lock.json (or other lockfiles) and writes a CycloneDX JSON SBOM.

Steps

  • Run npm ci first so the lockfile is fully resolved.
  • Invoke cdxgen with -t js and an output path.
  • Upload the SBOM artifact for later scanning or attestation.

Workflow

.github/workflows/ci.yml
jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - run: npx @cyclonedx/cdxgen@latest -t js -o sbom.cdx.json
      - uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.cdx.json

Gotchas

  • Without npm ci, cdxgen may miss transitive versions that only the lockfile pins.
  • Pin the cdxgen version rather than @latest in production pipelines for reproducible output.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →