explaingit

anchore/syft

8,925GoAudience · ops devopsComplexity · 2/5LicenseSetup · easy

TLDR

A command-line tool that scans container images or code folders and produces an inventory list of every package and library inside, in standard formats that security tools can read. Makes it straightforward to check software for known vulnerabilities.

Mindmap

mindmap
  root((Syft))
    What it does
      Generates SBOMs
      Scans containers
      Scans directories
    Package ecosystems
      Alpine and Debian
      Python and Go
      Java and npm
    Output formats
      CycloneDX JSON
      SPDX
    Features
      Signed attestations
      Pairs with Grype
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan a Docker container image to list every package it contains and export the result as a CycloneDX JSON file.

USE CASE 2

Generate a signed SBOM attestation for a software release to prove what packages are bundled inside.

USE CASE 3

Pair with Grype to automatically check all packages in a container for known CVEs.

USE CASE 4

Audit a directory of code to inventory all Go modules, Python packages, and npm packages present.

Tech stack

GoDockerHomebrew

Getting it running

Difficulty · easy Time to first run · 5min
Use freely for any purpose including commercial projects as long as you include the copyright notice.

In plain English

Syft is a command-line tool written in Go that generates a Software Bill of Materials, commonly called an SBOM, for software you are running or distributing. An SBOM is essentially an inventory list: it catalogs all the packages and libraries bundled inside a container image or a folder of code, along with their versions and where they came from. Having that list makes it much easier to check whether any of those components have known security vulnerabilities. The tool works by scanning a container image, a directory, or an archive file and detecting what packages are present. It can identify components from a wide range of packaging systems: Alpine Linux packages, Debian packages, RPM packages (used by Red Hat-based Linux distributions), Go modules, Python packages, JavaScript packages, Java JARs, Ruby gems, Rust crates, PHP packages.NET assemblies, and more. You point it at something you want to inspect and it figures out what is inside. The output can be written in several standard SBOM formats, including CycloneDX and SPDX, which are the two most widely recognized in the industry. These formats can be read by other security tools. Syft is designed to pair directly with Grype, a separate vulnerability scanner from the same company, which takes a Syft SBOM and checks it against databases of known vulnerabilities. Running it is straightforward. The command syft alpine:latest scans the Alpine Linux container image and prints what it finds. Adding a format flag like -o cyclonedx-json writes the results as a file instead. The tool can also produce signed SBOM attestations, which are a way to cryptographically prove that a specific SBOM was generated for a specific piece of software. Syft is developed by Anchore, released under the Apache 2.0 license, and available via Homebrew, Docker, and a curl installer.

Copy-paste prompts

Prompt 1
Using Syft, generate a CycloneDX SBOM for a Docker image called myapp:latest and save it to sbom.json.
Prompt 2
I want to scan a local directory with Syft and get an SPDX-format software bill of materials. Show me the exact command.
Prompt 3
Set up a CI pipeline step that uses Syft to generate an SBOM and then uses Grype to check it for vulnerabilities.
Prompt 4
How do I create a signed SBOM attestation with Syft for a container image I am about to publish?
Open on GitHub → Explain another repo

← anchore on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.