Summary
OWASP SAMM can be represented as a machine-readable standard in CycloneDX 1.7 using definitions.standards. CycloneDX is an Ecma International standard (ECMA-424) and is also being pursued for ISO standardization. As an internationally recognized standard, CycloneDX includes a capability called Attestations (CDXA) that enables organizations to make formal, machine-readable statements of conformance against any standard or set of requirements, backed by evidence, claims, and counter-claims. This makes it directly applicable to regulatory and compliance workflows where organizations need to demonstrate and track adherence to frameworks like SAMM in an auditable, structured format.
There is a growing ecosystem of tools that support CycloneDX Attestations, and representing SAMM as a CycloneDX standard definition means organizations can use any of these tools to perform assessments, track conformance over time, and produce attestation evidence against SAMM requirements. As one example, CycloneDX Assessors Studio can already import SAMM through this approach, and SAMM is being imported automatically on new Assessors Studio deployments.
I have attached a Python script (samm_to_cyclonedx.py) that reads the SAMM model YAML files and generates a valid CycloneDX 1.7 JSON document. I have also attached the generated output and a screenshot of OWASP SAMM successfully imported into CycloneDX Assessors Studio.
The script was coded with Claude Opus 4.6, but I have tested the output and validated it against the CycloneDX 1.7 JSON Schema. The screenshot confirms it works end-to-end in Assessors Studio.
What the script does
The script maps the full SAMM model hierarchy into CycloneDX definitions.standards[].requirements using the parent field to establish the tree structure:
- 5 Business Functions as top-level requirements (Governance, Design, Implementation, Verification, Operations)
- 15 Security Practices as children of their business function
- 30 Streams as children of their practice
- 90 Activities as leaf requirements, each containing the full activity description, the practice level objective, benefit, and assessment questions with quality criteria in
descriptions
- 3 Maturity Levels in the standard's
levels array, each referencing its 30 associated activity requirements
The SAMM version is passed as a required argument since the YAML files only contain the model identifier (e.g. SAMM20) and not a version string.
Usage
python3 samm_to_cyclonedx.py model/ -v 2.1.0
python3 samm_to_cyclonedx.py model/ -v 2.1.0 -o owasp-samm.cdx.json
Requires pyyaml. Output defaults to owasp-samm-<version>.cdx.json.
Where to put the script
I am not sure where the project wants this to live, whether alongside the existing spreadsheet tooling or elsewhere, so I am attaching it here and leaving that decision to the maintainers.
Attachments
owasp-samm-2.1.0.cdx.json
samm_to_cyclonedx.py
Summary
OWASP SAMM can be represented as a machine-readable standard in CycloneDX 1.7 using
definitions.standards. CycloneDX is an Ecma International standard (ECMA-424) and is also being pursued for ISO standardization. As an internationally recognized standard, CycloneDX includes a capability called Attestations (CDXA) that enables organizations to make formal, machine-readable statements of conformance against any standard or set of requirements, backed by evidence, claims, and counter-claims. This makes it directly applicable to regulatory and compliance workflows where organizations need to demonstrate and track adherence to frameworks like SAMM in an auditable, structured format.There is a growing ecosystem of tools that support CycloneDX Attestations, and representing SAMM as a CycloneDX standard definition means organizations can use any of these tools to perform assessments, track conformance over time, and produce attestation evidence against SAMM requirements. As one example, CycloneDX Assessors Studio can already import SAMM through this approach, and SAMM is being imported automatically on new Assessors Studio deployments.
I have attached a Python script (
samm_to_cyclonedx.py) that reads the SAMM model YAML files and generates a valid CycloneDX 1.7 JSON document. I have also attached the generated output and a screenshot of OWASP SAMM successfully imported into CycloneDX Assessors Studio.The script was coded with Claude Opus 4.6, but I have tested the output and validated it against the CycloneDX 1.7 JSON Schema. The screenshot confirms it works end-to-end in Assessors Studio.
What the script does
The script maps the full SAMM model hierarchy into CycloneDX
definitions.standards[].requirementsusing theparentfield to establish the tree structure:descriptionslevelsarray, each referencing its 30 associated activity requirementsThe SAMM version is passed as a required argument since the YAML files only contain the model identifier (e.g.
SAMM20) and not a version string.Usage
Requires
pyyaml. Output defaults toowasp-samm-<version>.cdx.json.Where to put the script
I am not sure where the project wants this to live, whether alongside the existing spreadsheet tooling or elsewhere, so I am attaching it here and leaving that decision to the maintainers.
Attachments
owasp-samm-2.1.0.cdx.json
samm_to_cyclonedx.py