Add depguard

[mopanc]

Tool: depguard

depguard is an MCP (Model Context Protocol) security server for AI coding agents that generates CycloneDX 1.6 SBOMs and audits npm dependencies. Released under Apache-2.0.

• Repository: https://github.com/mopanc/depguard
• Website: https://depguard.dev
• npm: https://www.npmjs.com/package/depguard-cli
• Latest release: https://github.com/mopanc/depguard/releases/tag/v1.9.0

SBOM-relevant capabilities

• CycloneDX 1.6 SBOM generation with PURLs (pkg:npm/...), SHA-512 integrity hashes, and full dependency graph from package-lock.json / pnpm-lock.yaml / yarn.lock / bun.lock.
• VEX support, vulnerabilities detected by the audit pipeline (npm + GitHub Advisory Database) embed inline in the BOM with GHSA/CVE IDs, CVSS ratings, CWEs, and patched-version recommendations.
• Native implementation, depguard ships with zero runtime dependencies as a deliberate product principle. The CycloneDX serializer is implemented in TypeScript directly against the public CycloneDX 1.6 JSON Schema rather than via @cyclonedx/cyclonedx-library. Output is validated against the official CycloneDX validators in CI.
• Compliance-oriented: targets EU Cyber Resilience Act, US EO 14028 / OMB M-22-18, SOC 2, FedRAMP supplier requirements.

Quick try

npm install -g depguard-cli
depguard-cli sbom ./package.json -o sbom.cdx.json

Background

This submission was suggested by @jkowalleck on mopanc/depguard#10 once CycloneDX support was finalized, that landed in v1.9.0.

The metadata in tools/depguard.json validates cleanly against schemas/tool.schema.json.