macOS
brew install cargo-cyclonedxlocal Homebrew formula metadata
brew
Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects. Version 0.5.9 via Homebrew; verified from local package data.
install
brew install cargo-cyclonedxlocal Homebrew formula metadata
sudo apk add cargo-cyclonedxAlpine Linux edge package indexes · cargo-cyclonedx · source: dl-cdn.alpinelinux.org
sudo dnf install cargo-cyclonedxFedora Rawhide package metadata · cargo-cyclonedx · source: dl.fedoraproject.org
nix profile install nixpkgs#cargo-cyclonedxnixpkgs package indexes · pkgs/by-name/ca/cargo-cyclonedx/package.nix · source: api.github.com
sudo pacman -S cargo-cyclonedxArch Linux sync databases · cargo-cyclonedx · source: geo.mirror.pkgbuild.com
overview
Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
history
cargo-cyclonedx is the Rust Cargo plugin from the CycloneDX project. It generates CycloneDX Software Bill of Materials files for Cargo projects, using Cargo metadata and lockfile information to describe Rust dependencies.
The cyclonedx-rust-cargo repository was created in 2019 and contains both the cyclonedx-bom Rust library and the cargo-cyclonedx application. The cargo-cyclonedx crate was published later as the command-line plugin for Cargo users.
The project belongs to the OWASP CycloneDX ecosystem. The CycloneDX site describes CycloneDX as a full-stack Bill of Materials standard for cyber-risk reduction, while the Rust plugin adapts that standard to Cargo workspaces.
cargo-cyclonedx adoption tracks the broader rise of SBOM requirements in software supply-chain security. It is packaged across multiple operating-system package managers and crates.io metadata shows more than one million downloads by June 2026.
Its value increased as organizations began asking Rust projects for SBOMs that can be consumed by security, compliance, and asset-management tooling.
The documented command is `cargo cyclonedx`, run inside a Rust project containing Cargo.toml. By default it writes BOM files adjacent to Cargo.toml files in the workspace.
The plugin can emit XML or JSON, choose CycloneDX spec versions, select targets and feature sets, and describe crates, binaries, or all Cargo targets. The README notes that it uses both Cargo.lock and `cargo metadata`, which gives it more build-configuration context than lockfile-only scanners.
cargo-cyclonedx is important because it turns Cargo's dependency graph into a standardized interchange artifact. Package managers and security systems can consume the resulting BOM without knowing Rust internals.
It also illustrates a practical distinction in SBOM generation: registry lockfiles are not enough when features, targets, binaries, and package metadata affect what a Rust build actually contains.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cargo-cyclonedx | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/CycloneDX/cyclonedx-rust-cargo
install metadata
| Package key | brew:cargo-cyclonedx |
|---|---|
| Version | 0.5.9 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cargo-cyclonedx |
| Homepage | https://cyclonedx.org/ |
| Repository | https://github.com/CycloneDX/cyclonedx-rust-cargo |
| Upstream docs | https://github.com/CycloneDX/cyclonedx-rust-cargo/tree/main/cargo-cyclonedx#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/CycloneDX/cyclonedx-rust-cargo/archive/refs/tags/cargo-cyclonedx-0.5.9.tar.gz |
| Build dependencies | rust |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cargo-cyclonedx |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cargo-cyclonedx
nix profile install nixpkgs#cargo-cyclonedxcargo-cyclonedx 0.5.9-r0
Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
https://github.com/CycloneDX/cyclonedx-rust-cargo
sudo apk add cargo-cyclonedxcargo-cyclonedx 0.5.9-1.fc45
CycloneDX Software Bill of Materials (SBOM) for Rust Crates
https://crates.io/crates/cargo-cyclonedx
sudo dnf install cargo-cyclonedxcargo-cyclonedx 0.5.9-1
Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
https://github.com/CycloneDX/cyclonedx-rust-cargo
sudo pacman -S cargo-cyclonedxsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.