Integrate CycloneDX CLI with Vulnetix. Validate CycloneDX SBOMs for spec compliance, merge multiple SBOMs into one, convert between CycloneDX XML/JSON and SPDX formats.
Install & scan
$ # Homebrew (macOS/Linux) brew install cyclonedx/cyclonedx/cyclonedx-cli # Binary download (Linux x64) curl -L https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64 -o cyclonedx-cli && chmod +x cyclonedx-cli && sudo mv cyclonedx-cli /usr/local/bin/ $ # Validate a CycloneDX SBOM cyclonedx-cli validate --input-file bom.json --input-version v1_6 # Convert CycloneDX JSON to XML cyclonedx-cli convert --input-file bom.json --output-file bom.xml --output-format xml # Convert to SPDX JSON cyclonedx-cli convert --input-file bom.cdx.json --output-file bom.spdx.json --output-format spdxjson
Run CycloneDX CLI in CI
Scan on every push and upload the results to Vulnetix:
- name: Install CycloneDX CLI
run: |
curl -L https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64 -o cyclonedx-cli && chmod +x cyclonedx-cli && sudo mv cyclonedx-cli /usr/local/bin/
- name: Validate and convert SBOM
run: |
cyclonedx-cli validate --input-file bom.json --fail-on-errors
cyclonedx-cli convert --input-file bom.json --output-file bom-v16.json --output-version v1_6
- name: Upload to Vulnetix
run: vulnetix upload --file bom-v16.json
How Vulnetix compares — better together
Vulnetix does not replace CycloneDX CLI. Keep running it. Vulnetix sits on top of CycloneDX CLI — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
| Capability | Vulnetix | CycloneDX CLI |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✓ Core: validate/convert/merge/diff/analyze BOMs across CycloneDX v1.0-1.7 and SPDX JSON 2.3; operates on existing BOMs (add-files can build file BOMs), not source generation. |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What CycloneDX CLI does well
- Official CycloneDX tooling for validate, convert, merge, diff and analyze across CycloneDX XML/JSON/protobuf and SPDX JSON 2.3
- Format and spec-version conversion spanning CycloneDX v1.0 through v1.7, essential for pipeline interoperability
- Merges multiple component/service BOMs into a single aggregate document for multi-module builds
- Built-in RSA keygen, sign and verify commands for enveloped BOM signatures
Where Vulnetix adds to it: CycloneDX CLI is a document-manipulation utility — validate, convert, merge, sign — with no scanning, vuln enrichment, dedup, or prioritisation. Vulnetix generates SBOMs natively and does the security analysis (SCA, exploit-intel, reachability, VEX, autofix) the CLI cannot. Better together: teams can use the CLI to reshape or sign BOMs in transit, while Vulnetix is the scanner-orchestration and prioritisation brain producing and consuming them.
No migration, no rip-and-replace. CycloneDX CLI keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise CycloneDX CLI results in Vulnetix
Upload CycloneDX CLI CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.