# Syft — Generate Software Bill of Materials from Container Images > Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security. ## Install Save as a script file and run: # Syft — Generate Software Bill of Materials from Container Images ## Quick Use ```bash # Install Syft curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin # Or: brew install syft # Generate SBOM for a container image syft nginx:latest # Output as SPDX JSON (industry standard) syft nginx:latest -o spdx-json > sbom.spdx.json # Output as CycloneDX (OWASP standard) syft nginx:latest -o cyclonedx-json > sbom.cdx.json # Scan a local directory syft dir:/path/to/project # Scan and pipe to Grype for vulnerabilities syft myapp:latest -o json | grype ``` ## Introduction Syft creates a complete inventory of all software packages in a container image or filesystem. This inventory — called a Software Bill of Materials (SBOM) — lists every OS package, language dependency, and binary with version information. SBOMs are increasingly required for compliance (US Executive Order 14028) and are essential for vulnerability management. With over 9,000 GitHub stars, Syft is the most popular open-source SBOM generator. Created by Anchore, it pairs with Grype for vulnerability scanning and supports industry-standard formats (SPDX, CycloneDX) required by government and enterprise customers. ## What Syft Does Syft catalogs all software components in a container image: APK packages (Alpine), DEB packages (Debian/Ubuntu), RPM packages (RHEL/Fedora), npm modules, Python packages, Go modules, Java JARs, Ruby gems, Rust crates, and more. It outputs this catalog in standard SBOM formats. ## Architecture Overview ``` [Container Image / Filesystem] | [Syft Cataloger Engine (Go)] | [Package Catalogers] +------+------+------+------+ | | | | | [OS] [npm] [pip] [Go] [Java] apk package require go.sum Maven dpkg -lock ments go.mod Gradle rpm .json .txt binary JAR | [SBOM Generation] Package name, version, type, location, licenses, CPE identifiers, PURLs | [Output Formats] SPDX (JSON, tag-value) CycloneDX (JSON, XML) Syft JSON (native) Table (human-readable) ``` ## Self-Hosting & Configuration ```bash # Generate SBOMs in different formats # Human-readable table syft node:20-slim # SPDX JSON (for compliance) syft node:20-slim -o spdx-json > node20-sbom.spdx.json # CycloneDX JSON (for OWASP toolchain) syft node:20-slim -o cyclonedx-json > node20-sbom.cdx.json # Syft native JSON (for Grype input) syft node:20-slim -o json > node20-sbom.syft.json grype sbom:node20-sbom.syft.json # Scan a local project directory syft dir:./my-project -o spdx-json > project-sbom.json # Scan a Docker archive docker save myapp:latest -o myapp.tar syft docker-archive:myapp.tar # CI/CD: generate SBOM and scan in one pipeline syft myapp:latest -o json | grype --fail-on critical ``` ## Key Features - **Multi-Ecosystem** — OS packages, npm, pip, Go, Java, Ruby, Rust, and more - **SPDX Output** — compliance-ready SPDX 2.3 format - **CycloneDX Output** — OWASP-standard SBOM format - **Container Support** — scan images from registries, Docker, or OCI archives - **Directory Scanning** — scan project directories and filesystems - **Binary Detection** — identify Go binaries and ELF metadata - **Grype Integration** — pipe SBOMs directly to Grype for vulnerability scanning - **Attestation** — sign SBOMs with cosign for supply chain verification ## Comparison with Similar Tools | Feature | Syft | Trivy SBOM | cdxgen | Tern | |---|---|---|---|---| | SPDX Output | Yes | Yes | Yes | Yes | | CycloneDX | Yes | Yes | Yes (primary) | No | | Container Scan | Yes | Yes | Limited | Yes | | Language Support | 15+ | 15+ | 10+ | Limited | | Binary Analysis | Yes | Limited | No | No | | Grype Integration | Native | N/A | N/A | N/A | | Speed | Fast | Fast | Moderate | Slow | | Best For | Dedicated SBOM | All-in-one | CycloneDX focus | Container focus | ## FAQ **Q: What is an SBOM and why do I need one?** A: An SBOM is a list of all software components in your application. It enables vulnerability scanning (Grype, Trivy), license compliance checking, and supply chain risk assessment. US federal suppliers are increasingly required to provide SBOMs. **Q: SPDX vs CycloneDX — which format should I use?** A: SPDX is the Linux Foundation/ISO standard, preferred for compliance. CycloneDX is the OWASP standard, preferred in security toolchains. Generate both if unsure — Syft supports both. **Q: How do I integrate Syft into CI/CD?** A: Run Syft after building your Docker image to generate an SBOM artifact. Store it alongside the image. Pipe to Grype for vulnerability checks. Use cosign to attest the SBOM for verification. **Q: Does Syft slow down my build?** A: No. Syft analyzes existing images without rebuilding. Scanning a typical image takes 5-15 seconds. Store the SBOM as a build artifact for repeated vulnerability scanning. ## Sources - GitHub: https://github.com/anchore/syft - Documentation: https://github.com/anchore/syft#readme - Created by Anchore - License: Apache-2.0 --- Source: https://tokrepo.com/en/workflows/87cf1b00-372b-11f1-9bc6-00163e2b0d79 Author: Script Depot