Safeguard.sh
← Concepts & Glossary
Inventory & Provenance

CycloneDX

One of the two standard SBOM formats — security-optimised and widely adopted.

What is CycloneDX?

CycloneDX is an open, lightweight SBOM (Software Bill of Materials) standard, originally created by the OWASP Foundation and now the de facto format for security use cases. It describes the components that make up a piece of software — libraries, containers, services, hardware, AI models — plus the relationships, vulnerabilities, licenses, and attestations that attach to them.

The current specification is v1.5, which added first-class support for VEX (Vulnerability Exploitability eXchange), SaaSBOM, ML-BOM for AI components, and formulation data describing how a build was produced. CycloneDX is recommended by CISA and is one of two formats named in the US Executive Order 14028 guidance.

How it works

A CycloneDX document is JSON, XML, or Protobuf. The core objects are:

  1. Components. Every library, image layer, service, or model gets a component entry with a Package URL (purl), version, hashes, and optional license data. Nested components express the dependency tree.
  2. Vulnerabilities and VEX. Unlike most other formats, CycloneDX carries vulnerability records directly, plus VEX statements that say whether a given CVE is actually exploitable in this release — a critical capability for real-world triage.
  3. Attestations and formulation. Build metadata, SLSA provenance, signing, and the actual steps that produced the artifact can all be embedded, giving downstream consumers a verifiable chain of custody.

Why it matters

If an SBOM is going to drive security decisions — block deployments, answer auditor questions, feed a vulnerability correlation engine — it needs richer fields than just "component + version + license". CycloneDX was designed for that job.

It is the format most security tools emit and consume, the format regulators and platform owners ask for by name, and the format that covers emerging surfaces like AI models and SaaS integrations natively rather than as awkward extensions.

What value it adds

  • Security-first field coverage

    Vulnerabilities, VEX, pedigree, and attestations live in the same document — no sidecar files to keep in sync.

  • Works across every modern surface

    Containers, applications, firmware, AI/ML models, SaaS dependencies, and hardware all fit in the same schema.

  • Broad tooling support

    Trivy, Syft, Grype, Dependency-Track, and most commercial SCA platforms read and write CycloneDX natively.

  • Regulator-aligned

    Named in CISA SBOM guidance and accepted by US federal software attestation programs — a safe default for procurement.

  • Composable

    Documents can reference each other, which means a product SBOM can point at component SBOMs without duplicating their contents.

How Safeguard uses it

Safeguard generates CycloneDX 1.5 SBOMs by default for every scanned artifact, enriches them with reachability and license data, and ships them with embedded VEX statements so consumers can see which CVEs you have already cleared. The same documents feed the internal risk engine, the inventory use case, and customer-facing compliance exports.

Know What's In Your Software →Comply With Global Regulations →SPDX →

Generate CycloneDX on every build.

Safeguard produces signed, VEX-enriched CycloneDX SBOMs for every repo, image, and release — no custom pipelines required.

Book a walkthroughBrowse all concepts