What is CycloneDX?

Updated Apr 24, 2026

OWASP-led SBOM/AIBOM standard. CycloneDX 1.6 (2024) added machine-learning-model component type. Securie emits CycloneDX 1.6 AIBOM on every release.

Full explanation

CycloneDX is one of two major SBOM formats (the other is SPDX). 1.6 added AI-specific extensions: machine-learning-model component, modelCard sub-fields (datasets, performanceMetrics, ethicalConsiderations, considerations). Recommended machine-readable form for EU AI Act Article 11 documentation.

Example

Securie's crates/sbom emits CycloneDX 1.6 AIBOM YAML on every release; embedded in DSSE envelope; served via /api/auditor/bundle/<sha>.

Guide

EU AI Act Article 11 — what technical documentation auditors will demand

FAQ

CycloneDX vs SPDX for AIBOM?

CycloneDX 1.6 has more mature AI extensions today. SPDX 3 has equivalent but tooling lags.

What is CycloneDX?

Full explanation

Example

Related

FAQ