Lesson 8
April 26, 2026 · View on GitHub
Learning Objective
In this lesson, you will generate SBOMs directly from a git URL and a package URL (purl), then run bom-audit as part of the same flow.
By the end, you will be able to:
- Generate SBOMs without manually cloning source repositories.
- Control branch selection with
--git-branch. - Run
--bom-auditfor remotely resolved sources. - Apply host allowlists for safer remote-source scans.
Pre-requisites
- Node.js ≥ 20
@cyclonedx/cdxgeninstalled
npm install -g @cyclonedx/cdxgen
Step 1: Generate SBOM from a git URL
cdxgen -t java -o bom-git.json --git-branch main https://github.com/HooliCorp/java-sec-code.git
This command clones to a temporary directory, runs the regular multi-type pipeline, and removes the temporary clone after completion.
Step 2: Generate SBOM from a purl
cdxgen -t js -o bom-purl.json "pkg:npm/lodash@4.17.21"
For purl inputs, cdxgen queries the package registry, resolves a repository URL, clones it, and scans it.
Warning: Registry metadata can be inaccurate or malicious. Validate resolved repositories before relying on generated SBOMs.
Step 3: Run bom-audit on remote sources
cdxgen -t js -o bom-purl-audit.json --bom-audit "pkg:npm/lodash@4.17.21"
--bom-audit runs after SBOM generation and post-processing. Findings can be embedded as CycloneDX annotations based on your spec version and profile settings.
Step 4: Use allowlists for remote scanning
Configure host allowlists before scanning remote sources in sensitive environments.
export CDXGEN_GIT_ALLOWED_HOSTS="github.com"
# Registry lookups for purl metadata still use CDXGEN_ALLOWED_HOSTS
export CDXGEN_ALLOWED_HOSTS="registry.npmjs.org,github.com"
cdxgen -t js -o bom-safe.json "pkg:npm/lodash@4.17.21"
For server mode, the same scan can be requested via:
curl "http://127.0.0.1:9090/sbom?url=pkg:npm/lodash@4.17.21&type=js&multiProject=true"
Going further
- Review SERVER.md for secure server deployment and allowlist setup.
- Review BOM_AUDIT.md for category/severity tuning.
- Review THREAT_MODEL.md for remote source and purl lookup risks.