Skip to content
Switch branches/tags

Build Status License Latest Website Slack Invite Group Discussion Twitter

CycloneDX Node.js Module

The CycloneDX module for Node.js creates a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.


Node.js v12.0.0 or higher



npm install -g @cyclonedx/bom

Getting Help

$ cyclonedx-bom -h
Usage: cyclonedx-bom [OPTIONS] [path]

Creates CycloneDX Software Bill-of-Materials (SBOM) from Node.js projects

  -v, --version              output the version number
  -d, --include-dev          Include devDependencies (default: false)
  -l, --include-license-text Include full license text (default: false)
  -o, --output <output>      Write BOM to file (default: "bom.xml")
  -t, --type <type>          Project type (default: "library")
  -ns, --no-serial-number    Do not include BOM serial number
  -h, --help                 display help for command

Example (default: XML)


Example (XML)

cyclonedx-bom -o bom.xml

Example (JSON)

cyclonedx-bom -o bom.json

Usage with docker

Run cyclonedx/cyclonedx-node docker image inside your project folder using:

docker run --rm \
  -v "$PWD":/src \
  -w /src \
  cyclonedx/cyclonedx-node -o /src/bom.xml

All options explained above are supported.

CycloneDX Schema Support

The following table provides information on the version of this node module, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this node module that is the compatible with the CycloneDX version supported by the target system. Or use the CycloneDX CLI Tool to convert to older specification versions as required.

Version Schema Version Format(s)
3.0.x CycloneDX v1.3 XML/JSON
2.0.x CycloneDX v1.2 XML/JSON
1.1.x CycloneDX v1.1 XML
1.0x CycloneDX v1.0 XML

Copyright & License

CycloneDX Node Module is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.