Skip to content

feat: add --cdx flag for CycloneDX 1.4 SBOM output#350

Merged
sonukapoor merged 8 commits into
mainfrom
feature/cyclonedx-output
May 13, 2026
Merged

feat: add --cdx flag for CycloneDX 1.4 SBOM output#350
sonukapoor merged 8 commits into
mainfrom
feature/cyclonedx-output

Conversation

@sonukapoor
Copy link
Copy Markdown
Collaborator

@sonukapoor sonukapoor commented May 13, 2026

Adds a --cdx flag that writes a CycloneDX 1.4 JSON SBOM to a timestamped .cdx.json file. The SBOM includes all lockfile packages as components — not just vulnerable ones — with vulnerability data attached for any CVE findings.

The output block in index.ts is extracted into a new write-outputs.ts dispatcher, which now handles JSON, SARIF, and CycloneDX writes in one place.

Changes

  • src/output/cyclonedx.ts — new module: buildPurl, buildCycloneDxBom, writeCycloneDxReport
  • src/output/write-outputs.ts — new dispatcher replacing inline JSON/SARIF block
  • src/index.ts — surfaces allPackages from scanProject; delegates to writeOutputs
  • src/types.ts / src/cli/args.ts / src/cli/help.ts--cdx flag
  • action.ymlcdx input
  • Docs: new cyclonedx.md, updates to cli-reference.md, sidebars.ts, README.md

Closes #349

@sonukapoor sonukapoor force-pushed the feature/cyclonedx-output branch from 6d3226e to 2d3f3ed Compare May 13, 2026 09:39
@sonukapoor sonukapoor merged commit 3360c18 into main May 13, 2026
6 checks passed
@sonukapoor sonukapoor deleted the feature/cyclonedx-output branch May 13, 2026 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add --cdx flag for CycloneDX 1.4 SBOM output

1 participant

@sonukapoor