ScriptsApr 13, 2026·3 min read

Syft — Generate Software Bill of Materials from Container Images

Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security.

SC
Script Depot · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Or: brew install syft

# Generate SBOM for a container image
syft nginx:latest

# Output as SPDX JSON (industry standard)
syft nginx:latest -o spdx-json > sbom.spdx.json

# Output as CycloneDX (OWASP standard)
syft nginx:latest -o cyclonedx-json > sbom.cdx.json

# Scan a local directory
syft dir:/path/to/project

# Scan and pipe to Grype for vulnerabilities
syft myapp:latest -o json | grype

Introduction

Syft creates a complete inventory of all software packages in a container image or filesystem. This inventory — called a Software Bill of Materials (SBOM) — lists every OS package, language dependency, and binary with version information. SBOMs are increasingly required for compliance (US Executive Order 14028) and are essential for vulnerability management.

With over 9,000 GitHub stars, Syft is the most popular open-source SBOM generator. Created by Anchore, it pairs with Grype for vulnerability scanning and supports industry-standard formats (SPDX, CycloneDX) required by government and enterprise customers.

What Syft Does

Syft catalogs all software components in a container image: APK packages (Alpine), DEB packages (Debian/Ubuntu), RPM packages (RHEL/Fedora), npm modules, Python packages, Go modules, Java JARs, Ruby gems, Rust crates, and more. It outputs this catalog in standard SBOM formats.

Architecture Overview

[Container Image / Filesystem]
        |
   [Syft Cataloger Engine (Go)]
        |
   [Package Catalogers]
+------+------+------+------+
|      |      |      |      |
[OS]   [npm]  [pip]  [Go]   [Java]
apk    package require go.sum Maven
dpkg   -lock  ments  go.mod Gradle
rpm    .json  .txt   binary JAR
        |
   [SBOM Generation]
   Package name, version,
   type, location, licenses,
   CPE identifiers, PURLs
        |
   [Output Formats]
   SPDX (JSON, tag-value)
   CycloneDX (JSON, XML)
   Syft JSON (native)
   Table (human-readable)

Self-Hosting & Configuration

# Generate SBOMs in different formats

# Human-readable table
syft node:20-slim

# SPDX JSON (for compliance)
syft node:20-slim -o spdx-json > node20-sbom.spdx.json

# CycloneDX JSON (for OWASP toolchain)
syft node:20-slim -o cyclonedx-json > node20-sbom.cdx.json

# Syft native JSON (for Grype input)
syft node:20-slim -o json > node20-sbom.syft.json
grype sbom:node20-sbom.syft.json

# Scan a local project directory
syft dir:./my-project -o spdx-json > project-sbom.json

# Scan a Docker archive
docker save myapp:latest -o myapp.tar
syft docker-archive:myapp.tar

# CI/CD: generate SBOM and scan in one pipeline
syft myapp:latest -o json | grype --fail-on critical

Key Features

  • Multi-Ecosystem — OS packages, npm, pip, Go, Java, Ruby, Rust, and more
  • SPDX Output — compliance-ready SPDX 2.3 format
  • CycloneDX Output — OWASP-standard SBOM format
  • Container Support — scan images from registries, Docker, or OCI archives
  • Directory Scanning — scan project directories and filesystems
  • Binary Detection — identify Go binaries and ELF metadata
  • Grype Integration — pipe SBOMs directly to Grype for vulnerability scanning
  • Attestation — sign SBOMs with cosign for supply chain verification

Comparison with Similar Tools

Feature Syft Trivy SBOM cdxgen Tern
SPDX Output Yes Yes Yes Yes
CycloneDX Yes Yes Yes (primary) No
Container Scan Yes Yes Limited Yes
Language Support 15+ 15+ 10+ Limited
Binary Analysis Yes Limited No No
Grype Integration Native N/A N/A N/A
Speed Fast Fast Moderate Slow
Best For Dedicated SBOM All-in-one CycloneDX focus Container focus

FAQ

Q: What is an SBOM and why do I need one? A: An SBOM is a list of all software components in your application. It enables vulnerability scanning (Grype, Trivy), license compliance checking, and supply chain risk assessment. US federal suppliers are increasingly required to provide SBOMs.

Q: SPDX vs CycloneDX — which format should I use? A: SPDX is the Linux Foundation/ISO standard, preferred for compliance. CycloneDX is the OWASP standard, preferred in security toolchains. Generate both if unsure — Syft supports both.

Q: How do I integrate Syft into CI/CD? A: Run Syft after building your Docker image to generate an SBOM artifact. Store it alongside the image. Pipe to Grype for vulnerability checks. Use cosign to attest the SBOM for verification.

Q: Does Syft slow down my build? A: No. Syft analyzes existing images without rebuilding. Scanning a typical image takes 5-15 seconds. Store the SBOM as a build artifact for repeated vulnerability scanning.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

ZeroMQ — High-Performance Asynchronous Messaging Library

ZeroMQ (0MQ) is a high-performance asynchronous messaging library for distributed applications. It provides socket-like abstractions for message passing patterns — pub/sub, request/reply, push/pull — without the complexity of a full message broker.

Script Depot

Redpanda — Kafka-Compatible Streaming Platform Without JVM

Redpanda is a Kafka-compatible streaming data platform written in C++. It is a drop-in replacement for Kafka that is simpler to operate — no JVM, no ZooKeeper, single binary deployment — with lower latency and built-in schema registry.

Script Depot

Apache Pulsar — Cloud-Native Distributed Messaging and Streaming

Apache Pulsar is a cloud-native distributed messaging and streaming platform. It combines the best of traditional messaging (like RabbitMQ) with streaming (like Kafka) — providing multi-tenancy, geo-replication, and tiered storage in a single system.

Script Depot
Home🔍Search👤Me