This repo contains binary executables that could be invoked by cdxgen.
Install cdxgen, which installs this plugin as an optional dependency.
sudo npm install -g @cyclonedx/cdxgencdxgen would automatically use the plugins from the global node_modules path to enrich the SBOM output for certain project types such as docker.
The published packages currently bundle helper binaries such as:
trivy-cdxgen-*for container/rootfs OS package inventoryosqueryi-*for live-host OBOM collectionsourcekittenanddosaifor Swift/.NET enrichmenttrustinspector-cdxgen-*for deep trust inspection of repository keyrings, CA stores, macOS code-sign/notarization state, and Windows Authenticode / WDAC policy inventory
Each packaged plugins/ directory now includes:
sbom-postbuild.cdx.json— a post-build CycloneDX inventory of the bundled helpersplugins-manifest.json— a lightweight provenance bundle containing the generated-at timestamp, package identity, and per-plugin component metadata (purl, version, hash, binary path, and merged SBOM reference)
cdxgen reads plugins-manifest.json automatically when present so the generated BOM can record more precise helper-tool identity/version data under metadata.tools.
The manifest is data only. cdxgen does not execute commands, scripts, or paths from it; the file is parsed as JSON and used only to tighten helper provenance in metadata.tools.
The main test workflow now includes an explicit Windows smoke path that verifies:
build.ps1stagestrustinspector-cdxgen-windows-amd64.exeplugins/plugins-manifest.jsonis generated on Windows and includestrustinspectortrustinspector hostreturns Windows host findingstrustinspector paths <signed binary>returns Authenticode properties on the runner