CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Introduction

Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.

Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. For commercial support options with Syft or Grype, please contact Anchore.

Getting Started

To generate an SBOM for a container image:

syft <image>

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft <image> --scope all-layers

Output Formats

The output format for Syft is configurable as well using the -o (or --output) option:

syft <image> -o <format>

Where the formats available are:

• syft-json: Use this to get as much information out of Syft as possible!
• syft-text: A row-oriented, human-and-machine-friendly output.
• cyclonedx-xml: A XML report conforming to the CycloneDX 1.6 specification.
• cyclonedx-xml@1.5: A XML report conforming to the CycloneDX 1.5 specification.
• cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.
• cyclonedx-json@1.5: A JSON report conforming to the CycloneDX 1.5 specification.
• spdx-tag-value: A tag-value formatted report conforming to the SPDX 2.3 specification.
• spdx-tag-value@2.2: A tag-value formatted report conforming to the SPDX 2.2 specification.
• spdx-json: A JSON report conforming to the SPDX 2.3 JSON Schema.
• spdx-json@2.2: A JSON report conforming to the SPDX 2.2 JSON Schema.
• github-json: A JSON report conforming to GitHub's dependency snapshot format.
• syft-table: A columnar summary (default).
• template: Lets the user specify the output format. See "Using templates" below.

Note that flags using the @ can be used for earlier versions of each specification as well.

Supported Ecosystems

• Alpine (apk)
• C (conan)
• C++ (conan)
• Dart (pubs)
• Debian (dpkg)
• Dotnet (deps.json)
• Objective-C (cocoapods)
• Elixir (mix)
• Erlang (rebar3)
• Go (go.mod, Go binaries)
• Haskell (cabal, stack)
• Java (jar, ear, war, par, sar, nar, native-image)
• JavaScript (npm, yarn)
• Jenkins Plugins (jpi, hpi)
• Linux kernel archives (vmlinz)
• Linux kernel modules (ko)
• Nix (outputs in /nix/store)
• PHP (composer)
• Python (wheel, egg, poetry, requirements.txt)
• Red Hat (rpm)
• Ruby (gem)
• Rust (cargo.lock)
• Swift (cocoapods, swift-package-manager)
• Wordpress plugins

Documentation

Our wiki contains further details::

https://github.com/anchore/syft/wiki

For commercial support options with Syft or Grype, please contact Anchore

This prototype Syft snap is built using the configuration here: https://github.com/popey/syft-snap