cyclonedx
Safeguard articles tagged "cyclonedx" — guides, analysis, and best practices for software supply chain and application security.
71 articles
How to Generate an SBOM in a GitLab CI Pipeline
A working .gitlab-ci.yml for SBOM generation with Syft: CycloneDX report artifacts, a Grype scan stage, and Cosign attestations pushed next to the image.
SBOM Tooling Landscape in 2023: What Actually Works
The SBOM tooling ecosystem has matured significantly, but choosing the right tools still requires understanding the tradeoffs between formats, generators, and analysis platforms.
How to Generate SBOMs From Maven Projects
Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship attested SBOMs alongside your JARs.
How to Structure an SBOM Review Process
Build a repeatable SBOM review workflow that catches license risks, stale dependencies, and unexpected components before they ship to customers.
CycloneDX v1.5: New Features and What They Mean for Your SBOM Program
CycloneDX v1.5 introduced formulation, machine learning BOMs, and expanded evidence. Here is what changed and how to take advantage of it.
Anchore Syft: The Go-To Open Source SBOM Generator
A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.
SBOM Format Conversion: Tools and Techniques
Your supplier sends SPDX, your platform expects CycloneDX. Here's how to convert between SBOM formats without losing critical data.
How to Create Your First SBOM
A practical, step-by-step guide to generating your first Software Bill of Materials using open-source tools and integrating it into your development workflow.
CycloneDX Specification Deep Dive: Beyond the Basics
CycloneDX is more than a component list. This deep dive covers services, vulnerabilities, compositions, and the parts of the spec most teams overlook.
SBOM Formats Compared: CycloneDX vs SPDX in 2022
Two SBOM standards are competing for adoption. CycloneDX and SPDX take fundamentally different approaches to describing software components. Here's what matters when choosing between them.
Understanding SBOM Requirements Under EO 14028
Executive Order 14028 mandates SBOMs for federal software procurement. Here's a practical breakdown of what's required, what formats to use, and how to get compliant.