syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Top Related Projects
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
Quick Overview
Syft is an open-source CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. It provides detailed information about the contents and dependencies of software packages, helping users understand and manage their software supply chain.
Pros
- Supports multiple SBOM formats (CycloneDX, SPDX, Syft JSON)
- Integrates with various CI/CD pipelines and security tools
- Offers both CLI and library usage for flexibility
- Actively maintained with regular updates and improvements
Cons
- Limited to specific package ecosystems and file types
- May produce large output files for complex software systems
- Requires additional tools for comprehensive security analysis
- Learning curve for advanced features and customizations
Code Examples
- Generate SBOM for a container image:
import "github.com/anchore/syft/syft"
sbom, err := syft.CreateSBOM("alpine:latest", syft.SBOMOptions{})
if err != nil {
log.Fatal(err)
}
fmt.Println(sbom)
- Generate SBOM for a local directory:
import "github.com/anchore/syft/syft"
sbom, err := syft.CreateSBOM("./my-project", syft.SBOMOptions{})
if err != nil {
log.Fatal(err)
}
fmt.Println(sbom)
- Generate SBOM with custom options:
import "github.com/anchore/syft/syft"
options := syft.SBOMOptions{
Scope: syft.AllLayersScope,
Format: syft.FormatCycloneDXJSON,
}
sbom, err := syft.CreateSBOM("alpine:latest", options)
if err != nil {
log.Fatal(err)
}
fmt.Println(sbom)
Getting Started
To use Syft as a library in your Go project:
- Install Syft:
go get github.com/anchore/syft
- Import and use Syft in your code:
import (
"fmt"
"github.com/anchore/syft/syft"
)
func main() {
sbom, err := syft.CreateSBOM("alpine:latest", syft.SBOMOptions{})
if err != nil {
panic(err)
}
fmt.Println(sbom)
}
This example generates an SBOM for the Alpine Linux container image and prints the result.
Competitor Comparisons
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Pros of Trivy
- Broader scope: Scans for vulnerabilities, misconfigurations, and secrets in various artifacts
- Faster scanning speed, especially for large container images
- Built-in support for multiple scanners (SBOM, vulnerability, license, etc.)
Cons of Trivy
- Less granular control over SBOM generation compared to Syft
- May produce more false positives in certain scenarios
- Slightly steeper learning curve for advanced features
Code Comparison
Syft usage:
syft alpine:latest
Trivy usage:
trivy image alpine:latest
Both tools can generate SBOMs, but Trivy offers a more comprehensive security scanning approach:
Syft SBOM generation:
syft packages alpine:latest -o cyclonedx-json
Trivy SBOM generation with vulnerability scan:
trivy image --format cyclonedx alpine:latest
Trivy provides an all-in-one solution for security scanning, while Syft focuses primarily on SBOM generation with high accuracy. Trivy's broader feature set comes at the cost of slightly reduced granularity in SBOM customization. Both tools are actively maintained and have strong community support, making them valuable options for different use cases in the software supply chain security landscape.
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
Pros of OSV-Scanner
- Focuses specifically on known vulnerabilities in open-source dependencies
- Utilizes the Open Source Vulnerability (OSV) database for comprehensive vulnerability information
- Supports multiple package ecosystems and languages
Cons of OSV-Scanner
- Limited to vulnerability scanning, lacking broader software composition analysis features
- May require additional tools for a complete software supply chain security solution
- Less extensive ecosystem support compared to Syft
Code Comparison
OSV-Scanner:
func ScanArtifact(ctx context.Context, a *artifact.Artifact) ([]*osv.Result, error) {
// Scan artifact for vulnerabilities
}
Syft:
func CatalogerCatalog(resolver source.FileResolver) (*sbom.Catalog, error) {
// Generate SBOM and catalog software components
}
Key Differences
- Syft provides broader software composition analysis, including SBOM generation
- OSV-Scanner focuses specifically on vulnerability scanning using the OSV database
- Syft offers more extensive package ecosystem support and deeper analysis capabilities
- OSV-Scanner is tailored for quick vulnerability checks in open-source dependencies
Both tools serve important roles in software supply chain security, with Syft offering a more comprehensive analysis and OSV-Scanner providing focused vulnerability scanning.
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
Pros of sbom-tool
- Integrated with Azure DevOps and GitHub Actions for seamless CI/CD integration
- Supports multiple output formats, including SPDX and CycloneDX
- Designed specifically for Microsoft ecosystems, offering better compatibility with Windows environments
Cons of sbom-tool
- Limited language and ecosystem support compared to Syft
- Less frequent updates and smaller community compared to Syft
- Primarily focused on Microsoft technologies, which may limit its versatility for diverse projects
Code Comparison
sbom-tool:
sbom-tool generate -b <path> -bc <path> -pn <name> -pv <version> -ps <supplier> -nsb <namespace>
Syft:
syft <image or path> -o <format>
Key Differences
- Syft offers broader language and ecosystem support, making it more versatile for diverse projects
- sbom-tool provides better integration with Microsoft technologies and Azure DevOps
- Syft has a larger community and more frequent updates, potentially leading to faster bug fixes and feature additions
- sbom-tool offers more output format options, while Syft focuses on specific formats like SPDX and CycloneDX
- Syft's command-line interface is generally simpler and more straightforward compared to sbom-tool's more detailed options
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Syft
A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.
Introduction
Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.
Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. For commercial support options with Syft or Grype, please contact Anchore.
Features
- Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
- Supports OCI, Docker and Singularity image formats
- Linux distribution identification
- Works seamlessly with Grype (a fast, modern vulnerability scanner)
- Able to create signed SBOM attestations using the in-toto specification
- Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format.
Installation
Syft binaries are provided for Linux, macOS and Windows.
Recommended
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Install script options:
-b: Specify a custom installation directory (defaults to./bin)-d: More verbose logging levels (-dfor debug,-ddfor trace)-v: Verify the signature of the downloaded artifact before installation (requirescosignto be installed)
Homebrew
brew install syft
Scoop
scoop install syft
Chocolatey
The chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team
choco install syft -y
Nix
Note: Nix packaging of Syft is community maintained. Syft is available in the stable channel since NixOS 22.05.
nix-env -i syft
... or, just try it out in an ephemeral nix shell:
nix-shell -p syft
Getting started
SBOM
To generate an SBOM for a container image:
syft <image>
The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:
syft <image> --scope all-layers
Output formats
The output format for Syft is configurable as well using the -o (or --output) option:
syft <image> -o <format>
Where the formats available are:
syft-json: Use this to get as much information out of Syft as possible!syft-text: A row-oriented, human-and-machine-friendly output.cyclonedx-xml: A XML report conforming to the CycloneDX 1.6 specification.cyclonedx-xml@1.5: A XML report conforming to the CycloneDX 1.5 specification.cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.cyclonedx-json@1.5: A JSON report conforming to the CycloneDX 1.5 specification.spdx-tag-value: A tag-value formatted report conforming to the SPDX 2.3 specification.spdx-tag-value@2.2: A tag-value formatted report conforming to the SPDX 2.2 specification.spdx-json: A JSON report conforming to the SPDX 2.3 JSON Schema.spdx-json@2.2: A JSON report conforming to the SPDX 2.2 JSON Schema.github-json: A JSON report conforming to GitHub's dependency snapshot format.syft-table: A columnar summary (default).template: Lets the user specify the output format. See "Using templates" below.
Note that flags using the @
Supported Ecosystems
- Alpine (apk)
- C (conan)
- C++ (conan)
- Dart (pubs)
- Debian (dpkg)
- Dotnet (deps.json)
- Objective-C (cocoapods)
- Elixir (mix)
- Erlang (rebar3)
- Go (go.mod, Go binaries)
- Haskell (cabal, stack)
- Java (jar, ear, war, par, sar, nar, native-image)
- JavaScript (npm, yarn)
- Jenkins Plugins (jpi, hpi)
- Linux kernel archives (vmlinz)
- Linux kernel modules (ko)
- Nix (outputs in /nix/store)
- PHP (composer)
- Python (wheel, egg, poetry, requirements.txt)
- Red Hat (rpm)
- Ruby (gem)
- Rust (cargo.lock)
- Swift (cocoapods, swift-package-manager)
- Wordpress plugins
Documentation
Our wiki contains further details on the following topics:
- Supported Sources
- File Selection
- Excluding file paths
- Output formats
- Package Cataloger Selection
- Using templates
- Multiple outputs
- Private Registry Authentication
- Attestation (experimental)
- Configuration
Contributing
Check out our contributing guide and developer docs.
Syft Team Meetings
The Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion.
- Check the calendar for the next meeting date.
- Add items to the agenda (join this group for write access to the agenda)
- See you there!
Top Related Projects
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot