Generating an SBOM
Produce a CycloneDX or SPDX Software Bill of Materials for a project's dependencies with xgrep sbom — fully offline.
Generating an SBOM
xgrep sbom builds a Software Bill of Materials by discovering a project's
dependency manifests and lockfiles (11 ecosystems),
parsing them with xgrep's bundled package-file parsers, and emitting a standard SBOM
document:
xgrep sbom .The scan is fully offline — it reads files only, never invoking a package manager or the network. The output is CycloneDX JSON by default and is written to stdout, so you can pipe or redirect it:
xgrep sbom --output sbom.cdx.json .
Output formats
Choose a format with --format:
| Format | Description |
|---|---|
cyclonedx-json | CycloneDX, JSON (default) |
cyclonedx-xml | CycloneDX, XML |
spdx-json | SPDX, JSON |
spdx-tag-value | SPDX, tag-value text |
json | xgrep's native JSON |
table | Human-readable list, grouped by package |
xgrep sbom --format spdx-json --output sbom.spdx.json .
xgrep sbom --format table . # quick look in the terminalThe CycloneDX output is enriched with component evidence and CPEs, so it drops into any tool that consumes CycloneDX.
Flags
| Flag | What it does |
|---|---|
--format <fmt> | Output format (see above). Default cyclonedx-json. |
--output <file> | Write to a file instead of stdout. |
--ref <commit/tag/branch> | Read files from a git ref instead of the working tree. |
--direct-only | Emit only direct dependencies, dropping transitive ones. |
--ecosystem <eco,…> | Restrict to named ecosystems, e.g. go,npm. Default: all. |
# A direct-dependency SBOM for a release tag, in SPDX
xgrep sbom --ref v1.4.0 --direct-only --format spdx-json --output release-sbom.json .
# Only the JavaScript and Go dependency sets
xgrep sbom --ecosystem npm,go .In CI
Generate an SBOM as a build artifact and attach it to releases or feed it to a downstream SBOM consumer:
xgrep sbom --format cyclonedx-json --output sbom.cdx.json .To answer "which of these dependencies does our code actually use?", pair the SBOM with dependency queries.
Overview
xgrep is a Software Composition Analysis (SCA) tool — generate a CycloneDX or SPDX SBOM, trace dependency usage offline, and scan your open-source dependencies for known CVEs, across 11 ecosystems.
Querying dependencies
List, group, and trace a project's dependencies with xgrep deps — flat inventory, per-manifest tree, and go-mod-why-style usage.