Tool integration

CycloneDX CLI Integration Guide

Official CycloneDX CLI — merge, validate, convert, and sign SBOMs between formats and spec versions

Get a Free API Key

Integrate CycloneDX CLI with Vulnetix. Validate CycloneDX SBOMs for spec compliance, merge multiple SBOMs into one, convert between CycloneDX XML/JSON and SPDX formats.

CycloneDX / SPDX (format conversion)CLI toolCycloneDXSPDX

Install & scan

$ # Homebrew (macOS/Linux)
brew install cyclonedx/cyclonedx/cyclonedx-cli

# Binary download (Linux x64)
curl -L https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64   -o cyclonedx-cli && chmod +x cyclonedx-cli && sudo mv cyclonedx-cli /usr/local/bin/
$ # Validate a CycloneDX SBOM
cyclonedx-cli validate   --input-file bom.json   --input-version v1_6

# Convert CycloneDX JSON to XML
cyclonedx-cli convert   --input-file bom.json   --output-file bom.xml   --output-format xml

# Convert to SPDX JSON
cyclonedx-cli convert   --input-file bom.cdx.json   --output-file bom.spdx.json   --output-format spdxjson

Run CycloneDX CLI in CI

Scan on every push and upload the results to Vulnetix:

- name: Install CycloneDX CLI
  run: |
    curl -L https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64       -o cyclonedx-cli && chmod +x cyclonedx-cli && sudo mv cyclonedx-cli /usr/local/bin/

- name: Validate and convert SBOM
  run: |
    cyclonedx-cli validate --input-file bom.json --fail-on-errors
    cyclonedx-cli convert --input-file bom.json --output-file bom-v16.json --output-version v1_6

- name: Upload to Vulnetix
  run: vulnetix upload --file bom-v16.json

How Vulnetix compares — better together

Vulnetix does not replace CycloneDX CLI. Keep running it. Vulnetix sits on top of CycloneDX CLI — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixCycloneDX CLI
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signableCore: validate/convert/merge/diff/analyze BOMs across CycloneDX v1.0-1.7 and SPDX JSON 2.3; operates on existing BOMs (add-files can build file BOMs), not source generation.
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What CycloneDX CLI does well

Where Vulnetix adds to it: CycloneDX CLI is a document-manipulation utility — validate, convert, merge, sign — with no scanning, vuln enrichment, dedup, or prioritisation. Vulnetix generates SBOMs natively and does the security analysis (SCA, exploit-intel, reachability, VEX, autofix) the CLI cannot. Better together: teams can use the CLI to reshape or sign BOMs in transit, while Vulnetix is the scanner-orchestration and prioritisation brain producing and consuming them.

No migration, no rip-and-replace. CycloneDX CLI keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise CycloneDX CLI results in Vulnetix

Upload CycloneDX CLI CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

CycloneDX CLI documentation ↗  ·  Source repository ↗

Wire CycloneDX CLI into your CI/CD pipeline →