Bill of materials
Inventory what's inside your software — source-code dependencies, the packages on a running asset, and your AI models — without leaving VS Code.
A bill of materials lists the components inside your software. The extension generates three kinds, and you never have to pick a tool: you choose what to inventory, and Mondoo runs the right scanner behind the scenes — xgrep for source code, cnspec for assets.
Open the Bills of Materials view in the Mondoo sidebar (the activity-bar icon) to generate one in a click, run the bill-of-materials walkthrough from the Get Started page, or use the commands below.
Where to start
The Bills of Materials view lists every generator as a one-click action:
- Generate SBOM — this project — source-code SBOM of the open workspace (xgrep), skipping the scope prompt.
- Generate SBOM — asset or target — installed/runtime packages on a configured target (cnspec).
- Generate AIBOM — AI models on a target (cnspec).
- Get Started — open the walkthrough.
The first action is also a button on the view's title bar.
Download a CycloneDX SBOM for this project
- Open the Bills of Materials view and click Generate SBOM — this project (or run Mondoo Bill of Materials: Generate SBOM — This Project from the Command Palette).
- Pick a format — CycloneDX (JSON) is selected by default.
- Choose where to save. The default filename uses the project name and a
.cdx.jsonextension (for examplemy-app-sbom.cdx.json).
The file is written and opened in the editor, ready to attach to compliance evidence, a CI artifact, or a vulnerability scanner. It runs fully offline — no target or credentials needed.
Software bill of materials (SBOM)
Generate SBOM asks what you want an SBOM of:
- Source code (this workspace) — the dependencies declared in your project's
manifests and lockfiles (
go.mod,package-lock.json,Cargo.lock, …), produced fully offline by the bundled xgrep scanner. No target, no credentials, safe to run in any pipeline. - Asset or target — the installed/runtime packages on a configured system
(
local,ssh,docker), produced by cnspec against the target.
You think in terms of the scope; the extension selects the engine.
AI bill of materials (AIBOM)
Generate AIBOM inventories the AI/ML models, agents, and related assets in
scope — increasingly part of what ships in a codebase or runs in your
infrastructure. It runs against a target with cnspec and can surface models from
local runtimes and the major cloud AI providers (aws, azure, gcp).
Output formats
Every BOM is written to a file you choose and opened for you, in a format other tools understand. SBOM offers:
| Format | Extension | Use it for |
|---|---|---|
| CycloneDX (JSON) | .cdx.json | Default — most SCA and vulnerability tools |
| CycloneDX (XML) | .cdx.xml | CycloneDX consumers that expect XML |
| SPDX (JSON) | .spdx.json | SPDX-based compliance tooling |
| SPDX (tag-value) | .spdx | Classic SPDX documents |
| JSON | .json | Custom processing |
| Table | .txt | A quick human-readable list |
AIBOM additionally offers Markdown (opened with a rendered preview). So a BOM drops straight into compliance evidence, CI artifacts, and vulnerability scanners.
Troubleshooting
- "xgrep is not available" — the source-code SBOM uses the bundled xgrep scanner. Run Mondoo: xgrep — Setup to install it, then try again.
- No compatible targets — the asset/target flows need a configured scan target of a supported type. Add one with Mondoo: Add Target Configuration.
Credentials
The asset/target flows pick from your configured scan targets, so credentials are delivered the same safe way as a scan — stored in your OS keychain and passed off the command line, never in settings or shell history.