Linux command
npm-sbom 命令
文本
复制后可按需替换文件名、目录或参数。
常用示例
Generate SBOM
npm sbom
Generate in SPDX
npm sbom --sbom-format spdx
Generate in CycloneDX
npm sbom --sbom-format cyclonedx
Output to file
npm sbom --sbom-format cyclonedx > [sbom.json]
Omit dev dependencies
npm sbom --omit dev
Use only package-lock.json
npm sbom --package-lock-only
说明
npm sbom generates a Software Bill of Materials (SBOM) listing all dependencies of the current project. It supports the SPDX and CycloneDX formats, which are industry standards for documenting software supply chain components. The output includes package names, versions, licenses, and dependency relationships.
参数
- --sbom-format _FORMAT_
- Output format: spdx or cyclonedx (required).
- --sbom-type _TYPE_
- Package type: library (default), application, or framework.
- --omit _TYPE_
- Omit dependency type (dev, optional, peer).
- --package-lock-only
- Use package-lock.json only, ignoring node_modules.
- --workspace _name_
- Run in the context of a specific workspace.
- --workspaces
- Run for all configured workspaces.
FAQ
What is the npm-sbom command used for?
npm sbom generates a Software Bill of Materials (SBOM) listing all dependencies of the current project. It supports the SPDX and CycloneDX formats, which are industry standards for documenting software supply chain components. The output includes package names, versions, licenses, and dependency relationships.
How do I run a basic npm-sbom example?
Run `npm sbom` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does --sbom-format _FORMAT_ do in npm-sbom?
Output format: spdx or cyclonedx (required).