Integrate the CycloneDX npm module with Vulnetix. Generate a CycloneDX SBOM from your npm project, then upload to Vulnetix.
Install & scan
$ # Run directly without install npx @cyclonedx/cyclonedx-npm --help # Or install globally npm install -g @cyclonedx/cyclonedx-npm $ npx @cyclonedx/cyclonedx-npm --output-format JSON --output-file bom.json
Run CycloneDX Node Module in CI
Scan on every push and upload the results to Vulnetix:
- name: Install dependencies run: npm ci - name: Generate CycloneDX SBOM run: npx @cyclonedx/cyclonedx-npm --omit dev --flatten-components --output-format JSON --output-file bom.json - name: Upload to Vulnetix run: vulnetix upload --file bom.json
How Vulnetix compares — better together
Vulnetix does not replace CycloneDX Node Module. Keep running it. Vulnetix sits on top of CycloneDX Node Module — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
CycloneDX Node Module is strongest at its core category and also carries features in License Compliance, SCA — just like Vulnetix spans categories.
| Capability | Vulnetix | CycloneDX Node Module |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ~ Produces complete transitive component inventory from installed npm tree, but performs no vuln scanning |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ~ Captures license metadata and can gather license texts; no license-policy/compliance verdicts |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✓ Core purpose: CycloneDX 1.2–1.6 SBOM (JSON+XML) from npm projects via npm's own resolver; no SPDX |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What CycloneDX Node Module does well
- Official, high-accuracy npm SBOM generator that uses npm's own dependency resolution to produce a complete, deduplicated component inventory including transitive packages
- Runnable via npx with no install, and supports CycloneDX spec versions 1.2–1.6 (default 1.6) in both JSON and XML output
- Faithfully represents the real node_modules nesting (or flattens on demand), and targets OWASP SCVS Level-2 evidence quality (only external signing missing)
- Experimental license-text gathering (--gather-license-texts) collects actual license files from installed components as evidence
Where Vulnetix adds to it: Vulnetix consumes the CycloneDX SBOM this tool emits and adds the layers it deliberately omits: vulnerability and malware matching across the npm tree, install-time package firewall, cross-scanner dedup, EPSS/KEV/LEV exploit-intel prioritisation, reachability, versioned VEX + audit, EOL policy and autofix PRs. It also upgrades output to CycloneDX 1.7 / SPDX 2.3. Better together — the module builds the accurate JS/TS inventory, Vulnetix prioritises and remediates against it.
No migration, no rip-and-replace. CycloneDX Node Module keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise CycloneDX Node Module results in Vulnetix
Upload CycloneDX Node Module CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.