How to Generate a CycloneDX SBOM for a Node Project With cdxgen
cdxgen reads the lockfile to produce a CycloneDX SBOM covering direct and transitive dependencies.
Install @cyclonedx/cdxgen and run it against the project root. It resolves the dependency graph from package-lock.json (or other lockfiles) and writes a CycloneDX JSON SBOM.
Steps
- Run
npm cifirst so the lockfile is fully resolved. - Invoke
cdxgenwith-t jsand an output path. - Upload the SBOM artifact for later scanning or attestation.
Workflow
.github/workflows/ci.yml
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npx @cyclonedx/cdxgen@latest -t js -o sbom.cdx.json
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.cdx.jsonGotchas
- Without
npm ci, cdxgen may miss transitive versions that only the lockfile pins. - Pin the cdxgen version rather than
@latestin production pipelines for reproducible output.