Generate SBOMs for both the baseline and new release in the same format (e.g., CycloneDX JSON) and store them as `sbom-v1.json` and `sbom-v2.json`
Use the `cyclonedx-cli diff` command: `cyclonedx diff --from-file sbom-v1.json --to-file sbom-v2.json --component-versions`
Review the diff output for added, removed, and version-changed components
Cross-reference any newly added or version-changed components against a vulnerability feed (e.g., OSV) to flag regressions
Fail the CI pipeline if the diff introduces a component whose latest known version has a critical CVE
Known gotchas
`cyclonedx-cli` normalises component identity by `name+version+purl`; components that change only their BOM-ref without a version bump will appear unchanged even if the artifact differs
Transitive dependency changes are only visible if both SBOMs were generated with full dependency graph resolution; shallow scans will miss indirect drift
Different SBOM generators may represent the same package under slightly different names or PURL schemes, causing false positives in the diff
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp