> For the complete documentation index, see [llms.txt](https://docs.xygeni.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/generate-cbom-with-the-xygeni-cli.md). # Generate CBOM with the Xygeni CLI A **Cryptographic Bill of Materials (CBOM)** is a structured inventory of every cryptographic asset — algorithm, protocol, certificate, and key material — found in your project's source code. Xygeni produces CycloneDX 1.6 CBOM JSON using the `inventory --cbom` command. ## What the CBOM covers Xygeni scans source code across 8 languages and emits four types of cryptographic assets: | Asset type | Examples | | -------------------- | --------------------------------------------------------------- | | **Algorithm** | AES-256-GCM, SHA-256, RSA-3072, Ed25519, MD5 (weak), DES (weak) | | **Protocol** | TLS 1.3, TLS 1.2 | | **Certificate** | PEM/DER files, X.509 certificate references | | **Related material** | PBKDF2 key derivation, key wrapping, IV/salt references | **Supported languages:** Java, Kotlin, JavaScript/TypeScript, Python, Go, C#, PHP, Swift. ## Running a CBOM scan Use the `inventory` command with the `--cbom` flag and specify the output file path: ``` xygeni inventory --cbom cbom-output.json ``` To scan a specific directory: ``` xygeni inventory --dir /path/to/project --cbom cbom-output.json ``` The `--cbom` flag implies CycloneDX 1.6 format automatically. No `--sbom-format` is required. ## Generating SBOM and CBOM together `--cbom` is independent from `--sbom` / `--sbom-format`: a single `inventory` invocation can emit both an SBOM and a CBOM, each to its own file, in one pass over the project. This is the recommended way to produce both artifacts in CI — the scanner walks the codebase once and the two reports are guaranteed to describe the same revision. ``` xygeni inventory --dir /path/to/project \ --sbom sbom.json --sbom-format cyclonedx \ --cbom cbom.json ``` This produces: * `sbom.json` — the dependency SBOM in the format selected by `--sbom-format` (`cyclonedx` or `spdx`). * `cbom.json` — the Cryptographic BOM, always CycloneDX 1.6. Notes: * `--sbom` and `--sbom-format` must always be used together. `--cbom` may be used with or without them. * The two outputs are written to separate files; do not point `--sbom` and `--cbom` at the same path. * When `--sbom-format` is `cyclonedx`, the SBOM and CBOM share the CycloneDX schema family but are distinct documents (one describes components/dependencies, the other describes cryptographic assets). ## Understanding the output The output is a CycloneDX 1.6 JSON file. Each cryptographic asset appears as a `cryptographic-asset` component with: * **`cryptoProperties.assetType`** — `algorithm`, `certificate`, `related-crypto-material`, or `protocol` * **`cryptoProperties.algorithmProperties`** — `primitive`, `mode`, `parameterSetIdentifier` (key size) * **`evidence.occurrences`** — the exact source file and line number of every usage Assets are **deduplicated**: if AES-256-GCM is used in ten files, the CBOM carries one component with ten occurrences. This mirrors the IBM cbomkit convention. ### Example output snippet ```json { "type": "cryptographic-asset", "name": "AES", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "ae", "mode": "GCM", "parameterSetIdentifier": "256" } }, "evidence": { "occurrences": [ { "location": "src/main/java/Crypto.java", "line": 42 }, { "location": "src/main/python/crypto.py", "line": 17 } ] } } ``` ## Weak and broken algorithms The CBOM is an **inventory**, not a policy gate. Weak algorithms (MD5, DES, RSA-1024, SHA-1) are included alongside strong ones. Use Xygeni's SAST scanner or policy rules to flag weak crypto as findings — the CBOM data feeds those rules automatically. ## CI/CD integration Add CBOM generation to any CI/CD pipeline by calling the scanner as a build step: ```yaml # GitHub Actions example — CBOM only - name: Generate CBOM run: xygeni inventory --cbom ${{ github.workspace }}/cbom.json ``` To produce both an SBOM and a CBOM in the same job (one scan, two artifacts): ```yaml # GitHub Actions example — SBOM + CBOM in one step - name: Generate SBOM and CBOM run: | xygeni inventory \ --sbom ${{ github.workspace }}/sbom.json --sbom-format cyclonedx \ --cbom ${{ github.workspace }}/cbom.json ``` ## Related pages * [Generate SBOM with the Xygeni CLI](/xygeni-scanner-cli/xygeni-cli-overview/generate-sbom-with-the-xygeni-cli.md) * [Xygeni Scanner Reference](/xygeni-scanner-cli/xygeni-cli-overview/xygeni-scanner-reference.md) * [Inventory Scanner](/xygeni-products/application-security-posture-management-aspm/inventory-scanner.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/generate-cbom-with-the-xygeni-cli.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.