npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@cdxgen/cdxgen-plugins-bin

v2.2.3

Published

Binary plugins to supercharge @cdxgen/cdxgen npm package

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

prabhusprabhus

Keywords

cdxgensbombompluginsdependencyappsec

Readme

Introduction

This repo contains binary executables that could be invoked by cdxgen.

SBOM NPM NPM Downloads

Usage

The package is usually consumed indirectly by cdxgen. cdxgen resolves helper binaries from the installed optional package and invokes them only for features that need native collection or deeper language analysis.

For Go Evinse, cdxgen uses the bundled golem-* binary when evinse -l go or evinse -l golang is run:

cdxgen -t go -o bom.json /absolute/path/to/go/project
evinse -i bom.json -o bom.evinse.json -l go --golem-callgraph static /absolute/path/to/go/project

golem produces a compact JSON evidence report from Go source and package metadata. cdxgen maps that report into CycloneDX as component.evidence.occurrences, component.evidence.callstack.frames, and cdx:golem:* custom properties on metadata and dependency components.

Use GOLEM_CMD=/absolute/path/to/golem or evinse --golem-command /absolute/path/to/golem when testing a local helper build.

Installation

Install cdxgen, which installs this plugin as an optional dependency.

sudo npm install -g @cyclonedx/cdxgen

cdxgen would automatically use the plugins from the global node_modules path to enrich the SBOM output for certain project types such as docker.

Bundled helpers

The published packages currently bundle helper binaries such as:

  • trivy-cdxgen-* for container/rootfs OS package inventory
  • osqueryi-* for live-host OBOM collection
  • sourcekitten and dosai for Swift/.NET enrichment
  • trustinspector-cdxgen-* for deep trust inspection of repository keyrings, CA stores, macOS code-sign/notarization state, and Windows Authenticode / WDAC policy inventory
  • golem-* for Go source semantic library evidence and optional static/CHA/RTA/VTA call graph exports

Helper binaries are also published individually for automation-friendly retrieval:

  • GitHub Releases upload the raw helper binaries alongside their .sha256 sidecars, for example golem-linuxmusl-amd64 + golem-linuxmusl-amd64.sha256
  • GHCR / ORAS publishes one tag per helper binary using the binary filename as the tag, for example ghcr.io/cdxgen/cdxgen-plugins-bin:golem-linuxmusl-amd64 and ghcr.io/cdxgen/cdxgen-plugins-bin:trustinspector-cdxgen-linuxmusl-arm64

Golem evidence contract

Golem is intentionally evidence-oriented rather than content-copying. Its JSON report is expected to contain small values such as module paths, package paths, source locations, symbol kinds, usage scopes, counts, categories, and call graph edges. It should not include raw secrets, raw environment values, embedded file contents, generated source contents, or raw go:generate command bodies.

cdxgen consumes these fields to produce policy-friendly properties such as:

  • cdx:golem:callGraphMode, cdx:golem:fileCount, cdx:golem:usageCount, and cdx:golem:securitySignalCount on the root metadata component
  • cdx:golem:usageScopes, cdx:golem:occurrenceEvidenceKinds, cdx:golem:securitySignalCategory, and cdx:golem:securitySignalSeverity on dependency components
  • cdx:golem:localReplacement, cdx:golem:vendored, cdx:golem:privateModuleCandidate, and cdx:golem:licenseFileCount for supply-chain and compliance review

These properties power the cdxgen BOM audit categories golem-security, golem-performance, and golem-compliance, plus cdxi commands such as .golemsummary, .golemhotspots, and .golemcoverage.

Plugin manifest + provenance bundle

Each packaged plugins/ directory now includes:

  • sbom-postbuild.cdx.json — a post-build CycloneDX inventory of the bundled helpers
  • plugins-manifest.json — a lightweight provenance bundle containing the generated-at timestamp, package identity, and per-plugin component metadata (purl, version, hash, binary path, and merged SBOM reference)

cdxgen reads plugins-manifest.json automatically when present so the generated BOM can record more precise helper-tool identity/version data under metadata.tools.

The manifest is data only. cdxgen does not execute commands, scripts, or paths from it; the file is parsed as JSON and used only to tighten helper provenance in metadata.tools.

CI coverage

The main test workflow now includes an explicit Windows smoke path that verifies:

  • build.ps1 stages trustinspector-cdxgen-windows-amd64.exe
  • plugins/plugins-manifest.json is generated on Windows and includes trustinspector
  • trustinspector host returns Windows host findings
  • trustinspector paths <signed binary> returns Authenticode properties on the runner