SBOM Generation

Generate Software Bills of Materials (SBOMs) for compliance and supply chain security.

Quick Start

gln sbom

Output Formats

CycloneDX (Default)

gln sbom --format cyclonedx --output sbom.json

Industry standard for security use cases.

SPDX

gln sbom --format spdx --output sbom.spdx.json

Open standard endorsed by the Linux Foundation.

What’s Included

Component	Description
Dependencies	All npm packages and versions
Licenses	License information for each package
Hashes	Integrity hashes for verification
Vulnerabilities	Known CVEs (with `--static`)

Static Analysis

Include vulnerability scanning:

gln sbom --static

This adds:

Known CVE matches
Security advisories
Recommended updates

CI/CD Integration

GitHub Actions

- name: Generate SBOM
  run: npx @dotsetlabs/gluon sbom --output sbom.json

- name: Upload SBOM
  uses: actions/upload-artifact@v3
  with:
    name: sbom
    path: sbom.json

npm Script

{
  "scripts": {
    "sbom": "gln sbom --output sbom.json"
  }
}

Compliance

SBOMs help with:

Executive Order 14028 — US federal software security requirements
EU Cyber Resilience Act — European security standards
SOC 2 — Supply chain documentation
ISO 27001 — Asset inventory requirements

Gluon

​SBOM Generation

​Quick Start

​Output Formats

​CycloneDX (Default)

​SPDX

​What’s Included

​Static Analysis

​CI/CD Integration

​GitHub Actions

​npm Script

​Compliance