Dependencies

Generating an SBOM

Produce a CycloneDX or SPDX Software Bill of Materials for a project's dependencies with xgrep sbom — fully offline.

Generating an SBOM

xgrep sbom builds a Software Bill of Materials by discovering a project's dependency manifests and lockfiles (11 ecosystems), parsing them with xgrep's bundled package-file parsers, and emitting a standard SBOM document:

xgrep sbom .

The scan is fully offline — it reads files only, never invoking a package manager or the network. The output is CycloneDX JSON by default and is written to stdout, so you can pipe or redirect it:

xgrep sbom --output sbom.cdx.json .

xgrep sbom — the human-readable dependency table, then the same fully-offline scan emitting a standard CycloneDX document

Output formats

Choose a format with --format:

FormatDescription
cyclonedx-jsonCycloneDX, JSON (default)
cyclonedx-xmlCycloneDX, XML
spdx-jsonSPDX, JSON
spdx-tag-valueSPDX, tag-value text
jsonxgrep's native JSON
tableHuman-readable list, grouped by package
xgrep sbom --format spdx-json --output sbom.spdx.json .
xgrep sbom --format table .                              # quick look in the terminal

The CycloneDX output is enriched with component evidence and CPEs, so it drops into any tool that consumes CycloneDX.

Flags

FlagWhat it does
--format <fmt>Output format (see above). Default cyclonedx-json.
--output <file>Write to a file instead of stdout.
--ref <commit/tag/branch>Read files from a git ref instead of the working tree.
--direct-onlyEmit only direct dependencies, dropping transitive ones.
--ecosystem <eco,…>Restrict to named ecosystems, e.g. go,npm. Default: all.
# A direct-dependency SBOM for a release tag, in SPDX
xgrep sbom --ref v1.4.0 --direct-only --format spdx-json --output release-sbom.json .

# Only the JavaScript and Go dependency sets
xgrep sbom --ecosystem npm,go .

In CI

Generate an SBOM as a build artifact and attach it to releases or feed it to a downstream SBOM consumer:

xgrep sbom --format cyclonedx-json --output sbom.cdx.json .

To answer "which of these dependencies does our code actually use?", pair the SBOM with dependency queries.

On this page