Create SBOMs (Software Bill of Materials) in CycloneDX format for your Vite and Rollup projects, including only the software you're really shipping to production.
A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.
| Plugin | Vite | Rollup | Node |
|---|---|---|---|
| v1 | v4, v5 | v3, v4 | 18, 20 |
We're always supporting LTS Node.js versions and versions which still have security support. Plugin support will be dropped once a Node.js version reaches its final EOL.
You can install the plugin via NPM with your favorite package manager:
npm install --save-dev rollup-plugin-sbom
pnpm install -D rollup-plugin-sbom
yarn add --dev rollup-plugin-sbomUsage with Vite
import { defineConfig } from "vite";
import sbom from "rollup-plugin-sbom";
export default defineConfig({
plugins: [sbom()],
});Usage with Rollup
import sbom from "rollup-plugin-sbom";
export default {
plugins: [sbom()],
};| Name | Default | Description |
|---|---|---|
specVersion |
1.5 |
The CycloneDX specification version to use |
rootComponentType |
application |
The root component type, can be library or application |
outDir |
cyclonedx |
The output directory where the BOM file will be saved. |
outFilename |
bom |
The base filename for the SBOM files. |
outFormats |
['json', 'xml'] |
The formats to output. Can be any of json and xml. |
saveTimestamp |
true |
Whether to save the timestamp in the BOM metadata. |
autodetect |
true |
Whether to get the root package registered automatically. |
generateSerial |
false |
Whether to generate a serial number for the BOM. |
includeWellKnown |
true |
Whether to generate a SBOM in the well-known directory. |
The main purpose of this repository is to continue evolving the plugin, making it faster and easier to use. We are grateful to the community for contributing bugfixes and improvements. Read below to learn how you can take part in improving the plugin.
We have a list of good first issues that contain bugs that have a relatively limited scope. This is a great place to get started.
Thanks goes to these wonderful people (emoji key):
 Jan R. Biasi 💼 💬 🧑🏫 💻 |
 Jan Kott 💻 🤔 🖋 |
The plugin is licensed under MIT License
![allcontributors[bot] avatar](https://avatars.githubusercontent.com/in/23186?v=4 "allcontributors[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent