An MSBuild task that automatically generates CycloneDX Software Bill of Materials (SBOM) during build. It combines NuGet package manifest data with MSBuild's actual resolved assembly references to produce an accurate, build-time SBOM.
This tool is currently in an experimental state, is not an officially supported CycloneDX project, and uses unofficial property taxonomy entries.
The officially recommended way to generate SBOMs for .NET projects remains the CycloneDX .NET tool.
NOTE: This is a different tool to the unofficial community created CycloneDX.MSBuild package. The CycloneDX.MSBuild package works by calling the CycloneDX .NET tool. This MS Build task works by integrating into the build process by extending the
Microsoft.Build.Utilities.Task class and generating an SBOM directly from the build process.
When you build your project, this task:
- Captures resolved references - the actual DLLs that MSBuild resolves during
ResolveAssemblyReferences, including where each file came from (NuGet cache, framework directory, hint path, etc.) - Reads NuGet package data - parses
project.assets.jsonto extract transitive dependencies, SHA-512 hashes, and the full dependency graph - Correlates the two - matches resolved files to their originating NuGet packages, capturing both declared and transitive dependencies
- Emits CycloneDX SBOM - generates both
bom.jsonandbom.xmlin the output directory
The result is an SBOM that reflects what MSBuild actually resolved, not just what was declared.
The generated SBOM follows CycloneDX v1.6 and includes:
- Metadata - project name, version, target framework, build timestamp, tool identification
- Components - each NuGet package as a
librarycomponent with Package URL (purl), SHA-512 hash, and resolved file paths; framework references asframeworkcomponents - Dependencies - full dependency graph linking the project to direct dependencies and transitive relationships
- Build evidence - custom properties (
cdx:msbuild:resolvedFile,cdx:msbuild:resolvedFrom) showing exactly which DLLs were resolved and from where
dotnet add package CycloneDX.MSBuildTask
The SBOM generates automatically on every build in JSON and XML formats -- no additional configuration needed.
<!-- Set the task assembly path to the local build output -->
<PropertyGroup>
<CycloneDxMSBuildTaskAssembly>path/to/CycloneDX.MSBuildTask.dll</CycloneDxMSBuildTaskAssembly>
</PropertyGroup>
<Import Project="path/to/build/CycloneDX.MSBuildTask.props" />
<Import Project="path/to/build/CycloneDX.MSBuildTask.targets" />| MSBuild Property | Default | Description |
|---|---|---|
CycloneDxOutputDirectory |
$(OutputPath) |
Directory where bom.json and bom.xml are written |
CycloneDxMSBuildTaskAssembly |
(auto from NuGet) | Path to the task DLL (override for local development) |
<PropertyGroup>
<CycloneDxOutputDirectory>$(MSBuildProjectDirectory)/sbom</CycloneDxOutputDirectory>
</PropertyGroup>dotnet build samples/SampleApp/SampleApp.csproj
cat samples/SampleApp/bin/Debug/net10.0/bom.jsonUse test-local.sh to build the task from source and run it against any local project:
./test-local.sh /path/to/MyApp.csprojThis builds the task in Release mode then builds the target project using the local task DLL. Extra dotnet build arguments are passed through:
./test-local.sh /path/to/MyApp.csproj -c Release
./test-local.sh /path/to/MyApp.csproj -r linux-x64The generated bom.json and bom.xml will appear in the target project's output directory.