SBOM Vulnerability Scanner
SBOM Vulnerability Scanner generates SBOM files and runs vulnerability checks for the currently opened workspace.
Download VSIX
Use this file for installation:
You can also use a version-pinned file in releases.
Versioned example: releases/sbom-vulnerability-scanner-<version>.vsix
Install from Marketplace (recommended)
Once published to VS Code Marketplace, install SBOM Vulnerability Scanner from the Extensions view.
Marketplace installations support automatic updates.
Dashboard (Activity Bar)
After installation, an SBOM Vulnerability Scanner icon appears in the Activity Bar.
From the Dashboard you can:
- Check the currently opened project
- Switch SBOM generator (
auto / syft / trivy / manifest)
- Switch vulnerability scanner (
auto / trivy / npm-audit)
- Switch UI language (
auto / en / ja)
- Switch result open mode (
vscode / external)
- Run SBOM generation and vulnerability scan actions
Commands
SBOM Vulnerability Scanner: Generate SBOMSBOM Vulnerability Scanner: Scan VulnerabilitiesSBOM Vulnerability Scanner: Generate SBOM + Scan VulnerabilitiesSBOM Vulnerability Scanner: Check Current ProjectSBOM Vulnerability Scanner: Select ScannerSBOM Vulnerability Scanner: Select SBOM GeneratorSBOM Vulnerability Scanner: Select UI LanguageSBOM Vulnerability Scanner: Select Result Open ModeSBOM Vulnerability Scanner: Set Up Syft and Trivy
The setup command is explicit and user-driven.
- macOS/Linux with Homebrew: runs
brew install syft trivy in the terminal after user selection
- Windows with WinGet: runs
winget install Anchore.syft AquaSecurity.Trivy in the terminal after user selection
- Windows with Scoop: runs
scoop install syft trivy in the terminal after user selection
- All platforms: download binaries from GitHub Releases or open official installation guides for alternative methods
Output
By default, output files are generated under .sbom-tool/ in your workspace.
sbom-raw-*.json: Internal parsed SBOM datasbom-cyclonedx-*.json or sbom-spdx-*.*: Exported SBOMsbom-report-*.html: Human-readable SBOM reportvulnerability-report-*.json: Vulnerability scan result
Settings
sbomTool.outputDirectory (default: .sbom-tool)sbomTool.defaultSbomFormat (default: cyclonedx-json)
sbomTool.sbomGenerator (default: auto)
auto: Tries Syft first, then Trivy, then the built-in manifest parsersyft: Uses Syft onlytrivy: Uses Trivy onlymanifest: Uses the built-in package manifest parser only
sbomTool.vulnerabilityScanner (default: auto)
auto: Tries Trivy first, falls back to npm audittrivy: Uses Trivy onlynpm-audit: Uses npm audit only
sbomTool.uiLanguage (default: auto)
auto: Follows VS Code display languageen: Englishja: Japanese
sbomTool.resultOpenMode (default: vscode)
vscode: Opens reports inside VS Codeexternal: Opens reports in external browser
Prerequisites
- Syft installed for the broadest SBOM coverage across languages and package managers
- Trivy installed when using Trivy-based SBOM generation or vulnerability scanning
- Node.js / npm when using the built-in manifest fallback or npm audit
Use the setup command from the dashboard or command palette to choose how to install or review setup instructions.
Language Support
- Default language: English
- Supported language: Japanese (when VS Code display language is
ja)
Package
cd vscode-extension/csap-sbom-security
npm install
npm run release:patch
Publish (Marketplace)
cd vscode-extension/csap-sbom-security
npm install
npm run publish:patch
See PUBLISHING.md for complete setup (publisher and PAT).
License
Apache License 2.0
