Skip to content
v0.2.0

SBOM Artifacts

What are these files?

CycloneDX Software Bill of Materials (SBOM) generated by make sbom.

  • Prod SBOM from requirements/prod.txt; Dev SBOM from requirements/dev.txt (both via pip-audit --format cyclonedx-json).
  • Optional validation via make sbom-validate (CycloneDX CLI), and a brief summary via make sbom-summary.

Key variables: PACKAGE_NAME, SBOM_DIR, SBOM_IGNORE_IDS, and SBOM_CLI.

Files & what they’re for

  • bijux-cli-0.2.0-9b8c4a5.prod.cdx.json — CycloneDX JSON • production • 231 components • spec 1.4

    • Good: Valid CycloneDX; includes app metadata; reasonable component count. — components=231, spec=1.4
    • How to use: Validate with make sbom-validate; scan with grype sbom:cyclonedx:bijux-cli-0.2.0-9b8c4a5.prod.cdx.json or osv-scanner --sbom bijux-cli-0.2.0-9b8c4a5.prod.cdx.json; diff prod↔dev to spot drift.

  • bijux-cli-0.2.0-9b8c4a5.dev.cdx.json — CycloneDX JSON • development • 231 components • spec 1.4

    • Good: Valid CycloneDX; includes app metadata; reasonable component count. — components=231, spec=1.4
    • How to use: Validate with make sbom-validate; scan with grype sbom:cyclonedx:bijux-cli-0.2.0-9b8c4a5.dev.cdx.json or osv-scanner --sbom bijux-cli-0.2.0-9b8c4a5.dev.cdx.json; diff prod↔dev to spot drift.

  • summary.txt — SBOM components summary

    • Good: Up-to-date snapshot lines for each SBOM file present.
    • How to use: Open at a glance; keep in CI logs; regenerate with make sbom-summary.

bijux-cli-0.2.0-9b8c4a5.prod.cdx.json

About this SBOM & how to use it

Type: Production CycloneDX SBOM Components: 231 CycloneDX spec: 1.4 Serial: urn:uuid:641f3b23-1733-4567-918f-3d8b3e65383d Generated: 2026-01-26T17:58:21.096419+00:00

  • Validate: make sbom-validate (requires SBOM_CLI={cyclonedx} in PATH).
  • Vuln scan (grype): grype sbom:cyclonedx:bijux-cli-0.2.0-9b8c4a5.prod.cdx.json.
  • Vuln scan (OSV): osv-scanner --sbom bijux-cli-0.2.0-9b8c4a5.prod.cdx.json.
  • License review: inspect components[].licenses or import into your compliance tool.
  • Diff SBOMs: compare dev vs prod JSON to catch environment drift.

Open full contents

bijux-cli-0.2.0-9b8c4a5.dev.cdx.json

About this SBOM & how to use it

Type: Development CycloneDX SBOM Components: 231 CycloneDX spec: 1.4 Serial: urn:uuid:26754675-7811-425c-8582-3ca64bd13905 Generated: 2026-01-26T17:58:22.216295+00:00

  • Validate: make sbom-validate (requires SBOM_CLI={cyclonedx} in PATH).
  • Vuln scan (grype): grype sbom:cyclonedx:bijux-cli-0.2.0-9b8c4a5.dev.cdx.json.
  • Vuln scan (OSV): osv-scanner --sbom bijux-cli-0.2.0-9b8c4a5.dev.cdx.json.
  • License review: inspect components[].licenses or import into your compliance tool.
  • Diff SBOMs: compare dev vs prod JSON to catch environment drift.

Open full contents

summary.txt

About this artifact

A short components count per SBOM file, created by make sbom-summary.

Open full contents