A Crystal tool for generating CycloneDX Software Bill of Materials (SBOM) from Crystal shard projects.
- π Generates CycloneDX SBOMs from Crystal
shard.ymlandshard.lockfiles - π Supports multiple output formats: JSON, XML, CSV
- π Compatible with CycloneDX spec versions 1.4, 1.5, 1.6, and 1.7
- π Automatically generates Package URLs (PURLs) for dependencies
- π³ Docker support for containerized usage
- β‘ Fast and lightweight implementation in Crystal
Download the latest binary from the releases page.
brew install hahwul/cyclonedx-cr/cyclonedx-crdocker run --rm -v $(pwd):/workspace -w /workspace ghcr.io/hahwul/cyclonedx-cr:latestRequirements: Crystal 1.6.2+
git clone https://github.com/hahwul/cyclonedx-cr.git
cd cyclonedx-cr
shards install
shards build --releaseGenerate an SBOM from your Crystal project:
cyclonedx-crThis will read shard.yml and shard.lock from the current directory and output the SBOM to stdout in JSON format.
Usage: cyclonedx-cr [arguments]
-i FILE, --input=FILE shard.lock file path (default: shard.lock)
-s FILE, --shard=FILE shard.yml file path (default: shard.yml)
-o FILE, --output=FILE Output file path (default: stdout)
--spec-version VERSION CycloneDX spec version (options: 1.4, 1.5, 1.6, 1.7, default: 1.6)
--output-format FORMAT Output format (options: json, xml, csv, default: json)
-h, --help Show this helpcyclonedx-cr -o sbom.jsoncyclonedx-cr --output-format xml --spec-version 1.5 -o sbom.xmlcyclonedx-cr -s my-shard.yml -i my-shard.lock --output-format csv -o sbom.csv# Generate SBOM for current directory
docker run --rm -v $(pwd):/workspace -w /workspace ghcr.io/hahwul/cyclonedx-cr:latest -o sbom.json
# With custom shard files
docker run --rm -v $(pwd):/workspace -w /workspace ghcr.io/hahwul/cyclonedx-cr:latest \
-s custom-shard.yml -i custom-shard.lock --output-format xml -o sbom.xmlname: Generate and Upload SBOM
on:
release:
types: [created]
jobs:
generate-sbom:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
# Checkout the repository code
- name: Checkout code
uses: actions/checkout@v4
# Generate SBOM using hahwul/cyclonedx-cr action
- name: Generate SBOM
uses: hahwul/cyclonedx-cr@v1.0.0
with:
shard_file: ./shard.yml # Explicitly map to shard_file
lock_file: ./shard.lock # Explicitly map to lock_file
output_file: ./sbom.xml # Map to output_file
output_format: xml # Map to output_format
spec_version: 1.6 # Optional, specify if needed
# Upload SBOM to GitHub Release
- name: Upload SBOM to Release
uses: softprops/action-gh-release@v2
with:
files: ./sbom.xml
token: ${{ secrets.GITHUB_TOKEN }}
Your Crystal project must have:
shard.ymlfile (project configuration)shard.lockfile (locked dependency versions)
Generate the shard.lock file by running shards install in your Crystal project.
Standard CycloneDX JSON format, suitable for most SBOM tools and platforms.
CycloneDX XML format, compatible with tools that require XML input.
Simplified comma-separated values format for basic analysis and reporting.
- 1.7: Latest version with full feature support
- 1.6 (default): Latest stable version with broad compatibility
- 1.5: Stable version with broad tool compatibility
- 1.4: Legacy version for compatibility with older tools
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -am 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
