Skip to main content
A Software Bill of Materials (SBOM) is a machine-readable inventory of the dependencies in your project. MergeGuide generates one from your dependency manifests in the standard CycloneDX and SPDX formats.

Generate an SBOM

# Generate from the current directory (CycloneDX JSON to stdout)
mergeguide sbom generate .

# Write SPDX JSON to a file
mergeguide sbom generate . --format spdx-json -o sbom.json

# Name and version the component
mergeguide sbom generate --name "MyApp" --version "1.0.0" package.json

Supported formats

FormatStandardNotes
cyclonedx-jsonCycloneDX 1.5JSON; widely supported. The default.
cyclonedx-xmlCycloneDX 1.5XML; legacy-compatible.
spdx-jsonSPDX 2.3JSON; Linux Foundation standard.
spdx-tag-valueSPDX 2.3Tag-value; human-readable.
List them anytime: 
mergeguide sbom formats

Supported manifests

sbom generate reads these dependency manifests:
EcosystemManifests
npmpackage.json, package-lock.json
piprequirements.txt, Pipfile, pyproject.toml
gogo.mod, go.sum
cargoCargo.toml, Cargo.lock
mavenpom.xml
gemGemfile, Gemfile.lock
composercomposer.json, composer.lock
nugetpackages.config, *.csproj
By default, development dependencies are excluded. Include them with --include-dev.

Options

OptionDescription
-f, --formatOutput format (default cyclonedx-json).
-o, --outputWrite to a file (default stdout).
-n, --nameProject/component name.
--versionProject/component version.
-d, --descriptionProject description.
--include-devInclude dev dependencies.
See mergeguide sbom.

Scan dependencies for vulnerabilities

An SBOM inventories your dependencies; to check them against known vulnerabilities, run the vulnerability scanner: 
mergeguide scan vuln --fail-on critical
See Running scans.

Next steps

OSCAL export

Export NIST OSCAL compliance evidence.

Compliance overview

How evidence fits your audit.