Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. xray
  2. SBOM
  3. SBOM Export

CBOM

πŸ“˜

Availability

The CBOM export option requires JFrog Advanced Security and is available exclusively in the CycloneDX format (JSON or XML).

A CBOM (Cryptography Bill of Materials) is an inventory of cryptographic assets found within your software artifacts. The CBOM option enriches your CycloneDX SBOM with cryptographic asset information detected by JFrog Advanced Security's secrets scanning capabilities.

When enabled, cryptographic findings from secrets scans are embedded directly into the CycloneDX BOM as additional components of type cryptographic-asset, following the CycloneDX specification for cryptographic assets.

What CBOM Includes

Each detected cryptographic finding is added as a CycloneDX component with the following information:

  • Component Type – cryptographic-asset (as defined by the CycloneDX specification).
  • Crypto Properties – The asset type and related crypto material properties, mapped based on the type of finding:
    • Certificates – Self-signed or expired certificates detected in the scanned artifact.
    • API Keys and Secret Keys – Encryption keys and secret tokens detected in your codebase, classified as related crypto material of type Token.
    • Generic Secrets – Passwords and credentials found in text, code, or URL patterns, classified as related crypto material of type Password.
  • Evidence – The file path where the cryptographic asset was detected, recorded as an evidence occurrence.

How to Enable CBOM in Your Export

To include CBOM data in your CycloneDX export:

  1. Navigate to the Scans List in Xray.
  2. Select a resource version scan from the list.
  3. Click the [...] (More Options) button.
  4. Select "Export Scan Data" and choose CycloneDX as the format.
  5. Enable the CBOM checkbox option.
  6. Select the output format (JSON or XML) and export.

Supported Output Formats

  • JSON
  • XML
⚠️

Note

CBOM data is only available for resources that have been scanned with JFrog Advanced Security secrets scanning enabled. If no secrets scan results exist for the selected resource, the CBOM section of the export will be empty.

Updated 27 days ago