Tool integration

CycloneDX Node Module Integration Guide

Most accurate CycloneDX SBOM generator for npm projects, runnable via npx

Get a Free API Key

Integrate the CycloneDX npm module with Vulnetix. Generate a CycloneDX SBOM from your npm project, then upload to Vulnetix.

CLI toolCycloneDX

Install & scan

$ # Run directly without install
npx @cyclonedx/cyclonedx-npm --help

# Or install globally
npm install -g @cyclonedx/cyclonedx-npm
$ npx @cyclonedx/cyclonedx-npm --output-format JSON --output-file bom.json

Run CycloneDX Node Module in CI

Scan on every push and upload the results to Vulnetix:

- name: Install dependencies
  run: npm ci

- name: Generate CycloneDX SBOM
  run: npx @cyclonedx/cyclonedx-npm --omit dev --flatten-components --output-format JSON --output-file bom.json

- name: Upload to Vulnetix
  run: vulnetix upload --file bom.json

How Vulnetix compares — better together

Vulnetix does not replace CycloneDX Node Module. Keep running it. Vulnetix sits on top of CycloneDX Node Module — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CycloneDX Node Module is strongest at its core category and also carries features in License Compliance, SCA — just like Vulnetix spans categories.

CapabilityVulnetixCycloneDX Node Module
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph~ Produces complete transitive component inventory from installed npm tree, but performs no vuln scanning
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy~ Captures license metadata and can gather license texts; no license-policy/compliance verdicts
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signableCore purpose: CycloneDX 1.2–1.6 SBOM (JSON+XML) from npm projects via npm's own resolver; no SPDX
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What CycloneDX Node Module does well

Where Vulnetix adds to it: Vulnetix consumes the CycloneDX SBOM this tool emits and adds the layers it deliberately omits: vulnerability and malware matching across the npm tree, install-time package firewall, cross-scanner dedup, EPSS/KEV/LEV exploit-intel prioritisation, reachability, versioned VEX + audit, EOL policy and autofix PRs. It also upgrades output to CycloneDX 1.7 / SPDX 2.3. Better together — the module builds the accurate JS/TS inventory, Vulnetix prioritises and remediates against it.

No migration, no rip-and-replace. CycloneDX Node Module keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise CycloneDX Node Module results in Vulnetix

Upload CycloneDX Node Module CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

CycloneDX Node Module documentation ↗  ·  Source repository ↗

Wire CycloneDX Node Module into your CI/CD pipeline →