Get expert-level guidance on the CycloneDX Bill of Materials standard directly inside Claude. Whether you are authoring specification text, generating BOMs, modeling complex supply chain scenarios, or trying to understand what a field means, this skill gives Claude deep, accurate knowledge of CycloneDX versions 1.6 and 1.7.
Install this skill and Claude becomes a CycloneDX expert. Ask it to generate a valid SBOM for your project. Ask it to explain the difference between VDR and VEX. Ask it to write specification prose that follows ISO House Style and Oxford English conventions. Ask it to model cryptographic assets, attestations, patent assertions, or any of the dozens of use cases CycloneDX supports. Claude will consult the actual JSON schemas, authoritative guides, and worked examples before responding, so the answers are grounded in the real specification rather than approximate training data.
Developers and DevSecOps engineers who need to generate, consume, or validate CycloneDX BOMs and want accurate field-level guidance without digging through schema files.
Security professionals working with vulnerability disclosure (VDR), exploitability exchange (VEX), or cryptographic transparency (CBOM) who need to model real-world scenarios correctly.
Compliance and legal teams using CycloneDX attestations, licensing, patent assertions, or standards conformance and want to understand how to represent their requirements in machine-readable form.
Specification contributors writing or reviewing CycloneDX specification prose, schema definitions, or documentation who need consistent style, terminology, and schema patterns.
Tool developers building CycloneDX integrations who want quick answers about field semantics, enumeration values, validation rules, and the property taxonomy.
This skill bundles the complete CycloneDX reference library so Claude does not need to search the web or guess:
- The official CycloneDX 1.6 and 1.7 JSON Schemas (the reference implementation of the standard)
- All five OWASP CycloneDX Authoritative Guides for SBOM, CBOM, Attestations, AI/ML-BOM, and MBOM in chapter-level Markdown with supporting images
- 13 capability overviews spanning SBOM, SaaSBOM, CBOM, HBOM, ML-BOM, OBOM, MBOM, VDR, VEX, BOV, Attestations, BOM-Link, and Release Notes
- 40+ detailed use cases with production-quality JSON and XML examples for security, inventory management, legal and compliance, and extended scenarios
- The CycloneDX Property Taxonomy including the full
cdxnamespace with device, lifecycle, npm, python, and ecosystem-specific properties - Specification authoring conventions for ISO House Style, Oxford English spelling, and JSON Schema draft-07 patterns
- A 1.6 vs 1.7 version diff, required-fields conventions, and BOM generation examples
- Project governance, history, contribution guidelines, and Ecma TC54 standardization process documentation
Download the latest cyclonedx-spec.skill from Releases, then install it in Claude following the skill installation instructions.
- "Generate a CycloneDX 1.7 SBOM for a Java application with three dependencies"
- "How do I model a VEX statement showing a vulnerability is not exploitable?"
- "Write a schema definition for a new field that tracks build reproducibility"
- "What is the difference between compositions aggregate types
completeandincomplete_first_party_only?" - "Show me how to represent an attestation mapping SSDF requirements to claims with evidence"
- "How should I model a TLS 1.3 cipher suite in a CBOM?"
- "What CycloneDX properties should I use for hardware device certification tracking?"
- "Help me write specification prose for a new external reference type"
Contributions are welcome. If you find inaccurate content, missing use cases, or areas where the skill could be improved, please open an issue or submit a pull request. The source files are plain markdown, JSON schemas, and SVG images organized under the references/ directory.
The CycloneDX JSON Schemas are published under the Apache License 2.0. The CycloneDX Authoritative Guides are published by the OWASP Foundation. Website content is sourced from cyclonedx.org.