SBOM Export
A Software Bill of Materials (SBOM) is a comprehensive inventory of all software components in your project. Many compliance frameworks and enterprise customers require SBOMs.
Supported Formats
CodeStax supports exporting SBOMs in two industry-standard formats:
SPDX (Software Package Data Exchange)
- Standard: ISO/IEC 5962:2021
- Format: JSON
- Used by: Government agencies, automotive, healthcare
- Required by: US Executive Order 14028 for federal software suppliers
CycloneDX
- Standard: OWASP CycloneDX
- Format: JSON
- Used by: Security teams, DevSecOps pipelines
- Features: Vulnerability references, license info, dependency graph
Generating an SBOM
- Go to Dashboard → SCA
- Select a repository
- Navigate to the SBOM tab
- Choose your format (SPDX or CycloneDX)
- Click Export
The SBOM is generated from the latest SCA scan results.
SBOM Contents
Each SBOM includes:
- Project metadata — Name, version, repository URL
- Component list — Every dependency with name, version, and package URL (purl)
- License information — SPDX license identifiers for each component
- Vulnerability references — CVE IDs linked to each component
- Dependency relationships — Direct vs transitive dependency mapping
Plan Availability
| Plan | SBOM Export |
|---|---|
| Free | Not available |
| Pro | Not available |
| Team | SPDX + CycloneDX |
| Enterprise | SPDX + CycloneDX |