Scripts2026年4月13日·1 分钟阅读

Syft — Generate Software Bill of Materials from Container Images

Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security.

SC
Script Depot · Community
快速使用

先拿来用,再决定要不要深挖

这里应该同时让用户和 Agent 知道第一步该复制什么、安装什么、落到哪里。

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Or: brew install syft

# Generate SBOM for a container image
syft nginx:latest

# Output as SPDX JSON (industry standard)
syft nginx:latest -o spdx-json > sbom.spdx.json

# Output as CycloneDX (OWASP standard)
syft nginx:latest -o cyclonedx-json > sbom.cdx.json

# Scan a local directory
syft dir:/path/to/project

# Scan and pipe to Grype for vulnerabilities
syft myapp:latest -o json | grype

Introduction

Syft creates a complete inventory of all software packages in a container image or filesystem. This inventory — called a Software Bill of Materials (SBOM) — lists every OS package, language dependency, and binary with version information. SBOMs are increasingly required for compliance (US Executive Order 14028) and are essential for vulnerability management.

With over 9,000 GitHub stars, Syft is the most popular open-source SBOM generator. Created by Anchore, it pairs with Grype for vulnerability scanning and supports industry-standard formats (SPDX, CycloneDX) required by government and enterprise customers.

What Syft Does

Syft catalogs all software components in a container image: APK packages (Alpine), DEB packages (Debian/Ubuntu), RPM packages (RHEL/Fedora), npm modules, Python packages, Go modules, Java JARs, Ruby gems, Rust crates, and more. It outputs this catalog in standard SBOM formats.

Architecture Overview

[Container Image / Filesystem]
        |
   [Syft Cataloger Engine (Go)]
        |
   [Package Catalogers]
+------+------+------+------+
|      |      |      |      |
[OS]   [npm]  [pip]  [Go]   [Java]
apk    package require go.sum Maven
dpkg   -lock  ments  go.mod Gradle
rpm    .json  .txt   binary JAR
        |
   [SBOM Generation]
   Package name, version,
   type, location, licenses,
   CPE identifiers, PURLs
        |
   [Output Formats]
   SPDX (JSON, tag-value)
   CycloneDX (JSON, XML)
   Syft JSON (native)
   Table (human-readable)

Self-Hosting & Configuration

# Generate SBOMs in different formats

# Human-readable table
syft node:20-slim

# SPDX JSON (for compliance)
syft node:20-slim -o spdx-json > node20-sbom.spdx.json

# CycloneDX JSON (for OWASP toolchain)
syft node:20-slim -o cyclonedx-json > node20-sbom.cdx.json

# Syft native JSON (for Grype input)
syft node:20-slim -o json > node20-sbom.syft.json
grype sbom:node20-sbom.syft.json

# Scan a local project directory
syft dir:./my-project -o spdx-json > project-sbom.json

# Scan a Docker archive
docker save myapp:latest -o myapp.tar
syft docker-archive:myapp.tar

# CI/CD: generate SBOM and scan in one pipeline
syft myapp:latest -o json | grype --fail-on critical

Key Features

  • Multi-Ecosystem — OS packages, npm, pip, Go, Java, Ruby, Rust, and more
  • SPDX Output — compliance-ready SPDX 2.3 format
  • CycloneDX Output — OWASP-standard SBOM format
  • Container Support — scan images from registries, Docker, or OCI archives
  • Directory Scanning — scan project directories and filesystems
  • Binary Detection — identify Go binaries and ELF metadata
  • Grype Integration — pipe SBOMs directly to Grype for vulnerability scanning
  • Attestation — sign SBOMs with cosign for supply chain verification

Comparison with Similar Tools

Feature Syft Trivy SBOM cdxgen Tern
SPDX Output Yes Yes Yes Yes
CycloneDX Yes Yes Yes (primary) No
Container Scan Yes Yes Limited Yes
Language Support 15+ 15+ 10+ Limited
Binary Analysis Yes Limited No No
Grype Integration Native N/A N/A N/A
Speed Fast Fast Moderate Slow
Best For Dedicated SBOM All-in-one CycloneDX focus Container focus

FAQ

Q: What is an SBOM and why do I need one? A: An SBOM is a list of all software components in your application. It enables vulnerability scanning (Grype, Trivy), license compliance checking, and supply chain risk assessment. US federal suppliers are increasingly required to provide SBOMs.

Q: SPDX vs CycloneDX — which format should I use? A: SPDX is the Linux Foundation/ISO standard, preferred for compliance. CycloneDX is the OWASP standard, preferred in security toolchains. Generate both if unsure — Syft supports both.

Q: How do I integrate Syft into CI/CD? A: Run Syft after building your Docker image to generate an SBOM artifact. Store it alongside the image. Pipe to Grype for vulnerability checks. Use cosign to attest the SBOM for verification.

Q: Does Syft slow down my build? A: No. Syft analyzes existing images without rebuilding. Scanning a typical image takes 5-15 seconds. Store the SBOM as a build artifact for repeated vulnerability scanning.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

ZeroMQ — High-Performance Asynchronous Messaging Library

ZeroMQ (0MQ) is a high-performance asynchronous messaging library for distributed applications. It provides socket-like abstractions for message passing patterns — pub/sub, request/reply, push/pull — without the complexity of a full message broker.

Script Depot

Redpanda — Kafka-Compatible Streaming Platform Without JVM

Redpanda is a Kafka-compatible streaming data platform written in C++. It is a drop-in replacement for Kafka that is simpler to operate — no JVM, no ZooKeeper, single binary deployment — with lower latency and built-in schema registry.

Script Depot

Apache Pulsar — Cloud-Native Distributed Messaging and Streaming

Apache Pulsar is a cloud-native distributed messaging and streaming platform. It combines the best of traditional messaging (like RabbitMQ) with streaming (like Kafka) — providing multi-tenancy, geo-replication, and tiered storage in a single system.

Script Depot
首页🔍搜索👤我的