ScriptsApr 13, 2026·3 min read

Syft — Generate Software Bill of Materials from Container Images

Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security.

Script Depot
Script Depot · Community
TL;DR
Syft scans container images and filesystems to generate SBOMs in SPDX, CycloneDX, and custom formats.
§01

What it is

Syft is a CLI tool by Anchore that generates Software Bill of Materials (SBOMs) from container images, filesystems, and archives. It detects packages across OS-level (dpkg, apk, rpm) and language-level (npm, pip, Maven, Go modules) ecosystems. Output formats include SPDX, CycloneDX, and Syft's own JSON format.

Syft targets DevSecOps engineers, compliance teams, and any organization that needs to track software components in their container supply chain. SBOMs are increasingly required by regulations and enterprise procurement processes.

§02

How it saves time or tokens

Manually inventorying every package in a container image is impractical. Syft automates the scan in seconds, producing a structured document listing every component, version, and license. Pairing Syft with Grype (Anchore's vulnerability scanner) turns an SBOM into an actionable vulnerability report without manual cross-referencing.

§03

How to use

  1. Install Syft via Homebrew, curl, or a container image.
  2. Point Syft at a container image, directory, or archive.
  3. Choose your output format.
# Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s

# Scan a container image
syft nginx:latest

# Output as CycloneDX JSON
syft nginx:latest -o cyclonedx-json > sbom.cdx.json

# Output as SPDX
syft nginx:latest -o spdx-json > sbom.spdx.json

# Scan a local directory
syft dir:/path/to/project
§04

Example

// Excerpt from Syft JSON output
{
  "artifacts": [
    {
      "name": "openssl",
      "version": "3.1.4-r2",
      "type": "apk",
      "licenses": ["Apache-2.0"]
    },
    {
      "name": "express",
      "version": "4.18.2",
      "type": "npm",
      "licenses": ["MIT"]
    }
  ]
}
§05

Related on TokRepo

§06

Common pitfalls

  • Syft scans the final layer of a container image by default. Multi-stage build artifacts from earlier stages are not included unless explicitly scanned.
  • Language-level package detection requires lock files (package-lock.json, go.sum, requirements.txt). If lock files are missing, Syft may report fewer packages than actually installed.
  • SBOM format choice matters: CycloneDX is preferred by many enterprise tools, while SPDX is the ISO standard. Check your compliance requirement before choosing.

Frequently Asked Questions

What is an SBOM and why do I need one?+

A Software Bill of Materials is a structured list of all software components in an application or container. It enables vulnerability scanning, license compliance checks, and supply chain auditing. Regulations like the US Executive Order on Cybersecurity increasingly require SBOMs for government software procurement.

How does Syft differ from Trivy for SBOM generation?+

Both generate SBOMs from container images. Syft is focused on SBOM generation and integrates tightly with Grype for vulnerability scanning. Trivy is a broader security scanner that also generates SBOMs. Syft typically detects more package types and provides richer metadata in its output.

Can I use Syft in CI/CD pipelines?+

Yes. Syft is designed for CI/CD integration. Run it as a step in your pipeline to generate an SBOM on every build. The JSON output can be stored as a build artifact and fed into vulnerability scanners or compliance tools automatically.

What container registries does Syft support?+

Syft supports Docker Hub, GitHub Container Registry, Amazon ECR, Google Artifact Registry, Azure Container Registry, and any OCI-compliant registry. It uses standard container image pull mechanisms, so any registry that supports docker pull works with Syft.

Does Syft detect vulnerabilities?+

No. Syft generates SBOMs (the inventory). For vulnerability detection, use Grype, which reads Syft's SBOM output and matches components against vulnerability databases. The two tools are designed to work together as a pipeline: syft generates, grype analyzes.

Citations (3)
  • Syft GitHub— Syft generates SBOMs from container images in SPDX and CycloneDX formats
  • Syft README— Syft documentation for installation and usage
  • SPDX Official Site— SPDX is an ISO standard for software bill of materials
Related on TokRepo
Security toolsDevOps toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

NAPI-RS — Build Node.js Native Addons in Rust

Write high-performance Node.js native modules in Rust with automatic TypeScript type generation and cross-platform prebuilt binaries.

Script Depot

Mamba — Fast Cross-Platform Package Manager

A drop-in conda replacement written in C++ that resolves environments in seconds instead of minutes.

Script Depot

Plasmo — The Browser Extension Framework

Build, test, and publish browser extensions for Chrome, Firefox, and Edge using React or Vue with hot-reload and automatic manifest generation.

Script Depot
Home🔍Search👤Me