SBOM Generation Tools Compared: Syft, Trivy, cdxgen, and More

SBOM generation tools analyze your software projects and produce machine-readable Software Bills of Materials in standard formats like CycloneDX and SPDX. These tools scan dependency manifests, lock files, container images, and sometimes compiled binaries to create a complete inventory of every component in your software. Choosing the right tool depends on your programming language ecosystem, deployment model, output format requirements, and CI/CD integration needs.

Why SBOM Generation Tools Matter

SBOM generation is the foundation of the SBOM lifecycle. Without accurate generation, downstream activities — vulnerability monitoring, license compliance, supply chain risk management — have nothing to work with.

Manual SBOM creation is not practical. A typical modern application has hundreds of dependencies, many of them transitive. Automated tooling is the only reliable way to produce complete, accurate SBOMs at the pace of modern software development.

The SBOM generation tool landscape has matured significantly. Several open source tools now support dozens of package ecosystems, multiple output formats, and integration with CI/CD pipelines and container registries.

Tool Comparison

The following comparison covers the most widely used open source SBOM generation tools as of early 2026.

Overview

sbomify

sbomify is an open source SBOM platform that covers the full SBOM lifecycle: generation, augmentation, enrichment, storage, distribution, and vulnerability monitoring. Importantly, sbomify is not a standalone SBOM generator — the sbomify GitHub Action automatically selects the best generation tool for your ecosystem (such as Syft, cdxgen, or the CycloneDX ecosystem plugins) and then improves the quality of the generated SBOM through enrichment and augmentation. This means you get the most accurate generation for your stack, combined with metadata improvements that raw generators don’t provide — all in one step.

Strengths:

• Uses the best underlying generator for each ecosystem, then enriches and augments the output
• Automatic metadata augmentation: adds supplier, manufacturer, and contact information to meet NTIA minimum elements
• Enrichment from 11+ data sources (deps.dev, ClearlyDefined, PyPI, crates.io, LicenseDB, and more) for license, hash, and lifecycle data
• Native CI/CD integration via GitHub Action, GitLab CI, and Bitbucket Pipelines
• Outputs both CycloneDX and SPDX formats
• Built-in vulnerability monitoring via Google OSV and OWASP Dependency-Track integration
• Trust Center for distributing SBOMs and compliance documents to customers
• Supports all major ecosystems: Python, JavaScript, Java, Go, Rust, Ruby, PHP, .NET, Swift, Dart, Elixir, Scala, C/C++, Docker, Terraform, Yocto

Considerations:

• Not a standalone generator — it wraps and improves the output of other generation tools
• Full platform features (Trust Center, vulnerability monitoring) require the cloud service or self-hosted deployment

Basic usage (GitHub Actions):

- uses: sbomify/github-action@master
  env:
    LOCK_FILE: package-lock.json
    OUTPUT_FILE: sbom.cdx.json
    ENRICH: true
    UPLOAD: false

See our CI/CD guide for GitHub Actions, GitLab CI, and Bitbucket Pipelines examples.

Syft

Syft is Anchore’s open source SBOM generation tool. It supports a broad range of package ecosystems and can scan source directories, container images (both local and from registries), and archive files.

Strengths:

• Wide ecosystem support: APK, DEB, RPM, npm, PyPI, Maven, Go, Rust, Ruby, PHP, and more
• Container image scanning with layer-by-layer analysis
• Outputs CycloneDX, SPDX 2.3, and its own Syft JSON format
• Pairs naturally with Grype for vulnerability scanning
• Active development with frequent releases

Considerations:

• Does not resolve dependency trees from source manifests as deeply as some language-specific tools
• No native vulnerability scanning (use Grype separately)

Basic usage:

# Scan a directory
syft dir:/path/to/project -o cyclonedx-json

# Scan a container image
syft registry:nginx:latest -o spdx-json

Trivy

Trivy is Aqua Security’s comprehensive security scanner. While best known for vulnerability scanning, Trivy also generates SBOMs and can scan a wider range of targets than most dedicated SBOM tools.

Strengths:

• Combined SBOM generation and vulnerability scanning in a single tool
• Scans source directories, container images, VM images, Kubernetes clusters, and IaC files
• Outputs CycloneDX and SPDX
• Detects both OS-level packages and language-specific dependencies
• Extensive ecosystem: npm, PyPI, Maven, Go, Rust, Ruby, NuGet, and more

Considerations:

• SBOM generation is one feature among many; some SBOM-specific features may lag behind dedicated tools
• Output verbosity can vary between scan targets

Basic usage:

# Generate SBOM from a directory
trivy fs /path/to/project --format cyclonedx --output sbom.json

# Generate SBOM from a container image
trivy image nginx:latest --format spdx-json --output sbom.spdx.json

cdxgen

cdxgen (CycloneDX Generator) is the official CycloneDX SBOM generation tool, maintained by the AppThreat team under the CycloneDX project. It focuses on deep analysis of language-specific dependency trees.

Strengths:

• Deep dependency resolution for many ecosystems (Java, JavaScript, Python, Go, Rust, .NET, Ruby, PHP, Swift, and more)
• Generates evidence-based SBOMs with call graph analysis for supported languages
• Supports SBOM signing and attestation workflows
• Active development with rapid feature additions
• Can generate SBOMs from container images and binary files

Considerations:

• CycloneDX output only (no native SPDX support)
• Requires Node.js runtime
• Some advanced features (call graph analysis) require language-specific toolchain setup

Basic usage:

# Scan a project directory
cdxgen -o sbom.json /path/to/project

# Scan a container image
cdxgen -t docker -o sbom.json nginx:latest

Microsoft SBOM Tool

Microsoft SBOM Tool is Microsoft’s open source tool for SBOM generation, designed for integration with build systems and CI/CD pipelines.

Strengths:

• Designed for CI/CD integration with structured build output support
• Supports npm, NuGet, PyPI, Maven, Go, Rust, and more
• Validates generated SBOMs against NTIA minimum element requirements
• Integrates with Azure DevOps and GitHub Actions

Considerations:

• SPDX 2.2 output only (no CycloneDX support)
• Requires .NET runtime
• Ecosystem support is narrower than Syft or Trivy

Basic usage:

# Generate SBOM from build output
sbom-tool generate -b /path/to/build -bc /path/to/source -pn my-app -pv 1.0.0 -ps my-org

CycloneDX Ecosystem Tools

The CycloneDX project maintains a collection of language-specific SBOM generation libraries and CLI tools. These are purpose-built for individual ecosystems and produce highly accurate results for their target languages.

Strengths:

• Deepest possible integration with each language’s package manager
• Most accurate dependency resolution for the target ecosystem
• Native CycloneDX output

Considerations:

• Language-specific: you need a different tool for each ecosystem in your stack
• CycloneDX format only
• Variable feature sets between language implementations

For a complete listing of language-specific tools and guides, see our SBOM generation guides and resources page.

Choosing a Tool

Single vs. Multi-Ecosystem

If your organization uses a single language ecosystem, a language-specific CycloneDX plugin or SPDX tool will produce the most accurate results. If you work across multiple ecosystems (which most organizations do), a multi-ecosystem tool like sbomify, Syft, Trivy, or cdxgen provides consistency and simplifies CI/CD integration. If you also need SBOM management, vulnerability monitoring, and distribution, sbomify provides these in an integrated platform rather than requiring separate tools.

Format Requirements

If you need CycloneDX output, all tools listed here support it except Microsoft SBOM Tool. If you need SPDX output, Syft, Trivy, and Microsoft SBOM Tool support it. If you need both, Syft and Trivy are the most flexible. For format conversion, the CycloneDX CLI can convert between formats.

See our SBOM formats comparison for help choosing a format.

Container Image Support

For container security workflows, Syft and Trivy both provide strong container image scanning with layer-by-layer analysis. cdxgen also supports container images. Microsoft SBOM Tool does not scan container images directly.

For Docker-specific SBOM generation instructions, see our Docker SBOM guide.

CI/CD Integration

All major SBOM generation tools can be integrated into CI/CD pipelines. The sbomify GitHub Action provides a streamlined way to generate and manage SBOMs in GitHub workflows. Trivy and Syft both provide official GitHub Actions and support integration with most CI/CD platforms.

Benchmarking SBOM Tools

Different tools may produce different results for the same project — varying in the number of components detected, the accuracy of version information, and the completeness of transitive dependency resolution.

The sbom-benchmarks repository provides a framework for comparing SBOM generation tools against reference projects, along with examples of how to run each tool. Benchmarking against your own projects is the best way to evaluate which tool produces the most accurate and complete results for your specific technology stack.

Best Practices

1. Generate SBOMs from resolved dependencies. Use lock files and build outputs rather than unresolved manifests. Lock files capture exact versions including transitive dependencies; manifests may contain version ranges that resolve differently in different environments.

2. Automate in CI/CD. Integrate SBOM generation into your build pipeline so every release automatically produces an SBOM. See our language-specific guides for setup instructions.

3. Validate generated SBOMs. Use validation tools like the CycloneDX Validator or SPDX Online Tools to ensure your SBOMs conform to the specification. Invalid SBOMs may be rejected by consumers or analysis tools.

4. Combine tools for container SBOMs. A language-specific tool may miss OS-level packages in your container image. Use both a language-specific tool (for precise application dependency resolution) and a container scanner (for OS packages from the base image) to produce a complete picture.

5. Benchmark against your stack. Run multiple tools against your actual projects and compare the results. The best tool for a Python project may not be the best tool for a Java project.

6. Feed SBOMs into monitoring. SBOM generation is the starting point, not the end. Ingest generated SBOMs into a management platform like sbomify for integrated vulnerability monitoring, or use OWASP Dependency-Track for standalone analysis. See our SBOM management guide for the full lifecycle.

Frequently Asked Questions

What are SBOM generation tools?

SBOM generation tools are software that analyzes your projects — source code, dependency files, container images, or compiled binaries — and produces a machine-readable Software Bill of Materials in a standard format like CycloneDX or SPDX. Leading standalone generators include Syft (Anchore), Trivy (Aqua Security), cdxgen (CycloneDX), Microsoft SBOM Tool, and language-specific CycloneDX plugins. Platforms like sbomify wrap the best generator for your ecosystem and then enrich and augment the output for higher quality SBOMs.

What is the best SBOM generation tool?

There is no single best tool — the right choice depends on your ecosystems, format requirements, and workflow. For an integrated platform that selects the best generator for your ecosystem and then enriches, augments, and manages the output, sbomify covers the full lifecycle. For multi-ecosystem coverage with both CycloneDX and SPDX support as standalone CLI tools, Syft and Trivy are versatile options. For deep language-specific analysis, CycloneDX ecosystem plugins and cdxgen provide the most accurate results. For SPDX-only workflows integrated with Azure DevOps, Microsoft SBOM Tool is purpose-built.

How do I generate an SBOM?

Install an SBOM generation tool (Syft, Trivy, or cdxgen are good starting points for CLI use), point it at your project directory or container image, and specify your desired output format. For example: syft dir:. -o cyclonedx-json > sbom.json. For production use, integrate SBOM generation into your CI/CD pipeline using the sbomify GitHub Action, which handles generation, enrichment, and augmentation in one step. See our language-specific SBOM guides for detailed instructions.

What format should my SBOM be in?

Choose CycloneDX for security-focused use cases and SPDX for license compliance focus. For EU CRA compliance via BSI TR-03183-2, you need CycloneDX 1.6+ or SPDX 3.0.1+. Most other compliance frameworks accept both formats. See our SBOM formats comparison for detailed guidance.

How do I validate an SBOM?

Use format-specific validation tools: the CycloneDX Validator for CycloneDX SBOMs and SPDX Online Tools for SPDX SBOMs. Validation checks structural correctness, required fields, and specification conformance. Additionally, tools like sbomqs can score SBOM quality beyond basic structural validity.