Skills2026年4月13日·1 分钟阅读

Syft — Generate Software Bill of Materials from Container Images

Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security.

Script Depot
Script Depot · Community
Agent 就绪

先审查再安装

这个资产需要先审查。复制的指令会要求 Agent dry-run、列出写入项,确认后再继续。

Needs Confirmation · 64/100策略:需确认
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
step-1.md
先审查命令
npx -y tokrepo@latest install 87cf1b00-372b-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run,确认写入项后再运行此命令。

TL;DR
Syft scans container images and filesystems to generate SBOMs in SPDX, CycloneDX, and custom formats.
§01

What it is

Syft is a CLI tool by Anchore that generates Software Bill of Materials (SBOMs) from container images, filesystems, and archives. It detects packages across OS-level (dpkg, apk, rpm) and language-level (npm, pip, Maven, Go modules) ecosystems. Output formats include SPDX, CycloneDX, and Syft's own JSON format.

Syft targets DevSecOps engineers, compliance teams, and any organization that needs to track software components in their container supply chain. SBOMs are increasingly required by regulations and enterprise procurement processes.

§02

How it saves time or tokens

Manually inventorying every package in a container image is impractical. Syft automates the scan in seconds, producing a structured document listing every component, version, and license. Pairing Syft with Grype (Anchore's vulnerability scanner) turns an SBOM into an actionable vulnerability report without manual cross-referencing.

§03

How to use

  1. Install Syft via Homebrew, curl, or a container image.
  2. Point Syft at a container image, directory, or archive.
  3. Choose your output format.
# Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s

# Scan a container image
syft nginx:latest

# Output as CycloneDX JSON
syft nginx:latest -o cyclonedx-json > sbom.cdx.json

# Output as SPDX
syft nginx:latest -o spdx-json > sbom.spdx.json

# Scan a local directory
syft dir:/path/to/project
§04

Example

// Excerpt from Syft JSON output
{
  "artifacts": [
    {
      "name": "openssl",
      "version": "3.1.4-r2",
      "type": "apk",
      "licenses": ["Apache-2.0"]
    },
    {
      "name": "express",
      "version": "4.18.2",
      "type": "npm",
      "licenses": ["MIT"]
    }
  ]
}
§05

Related on TokRepo

§06

Common pitfalls

  • Syft scans the final layer of a container image by default. Multi-stage build artifacts from earlier stages are not included unless explicitly scanned.
  • Language-level package detection requires lock files (package-lock.json, go.sum, requirements.txt). If lock files are missing, Syft may report fewer packages than actually installed.
  • SBOM format choice matters: CycloneDX is preferred by many enterprise tools, while SPDX is the ISO standard. Check your compliance requirement before choosing.

常见问题

What is an SBOM and why do I need one?+

A Software Bill of Materials is a structured list of all software components in an application or container. It enables vulnerability scanning, license compliance checks, and supply chain auditing. Regulations like the US Executive Order on Cybersecurity increasingly require SBOMs for government software procurement.

How does Syft differ from Trivy for SBOM generation?+

Both generate SBOMs from container images. Syft is focused on SBOM generation and integrates tightly with Grype for vulnerability scanning. Trivy is a broader security scanner that also generates SBOMs. Syft typically detects more package types and provides richer metadata in its output.

Can I use Syft in CI/CD pipelines?+

Yes. Syft is designed for CI/CD integration. Run it as a step in your pipeline to generate an SBOM on every build. The JSON output can be stored as a build artifact and fed into vulnerability scanners or compliance tools automatically.

What container registries does Syft support?+

Syft supports Docker Hub, GitHub Container Registry, Amazon ECR, Google Artifact Registry, Azure Container Registry, and any OCI-compliant registry. It uses standard container image pull mechanisms, so any registry that supports docker pull works with Syft.

Does Syft detect vulnerabilities?+

No. Syft generates SBOMs (the inventory). For vulnerability detection, use Grype, which reads Syft's SBOM output and matches components against vulnerability databases. The two tools are designed to work together as a pipeline: syft generates, grype analyzes.

引用来源 (3)
  • Syft GitHub— Syft generates SBOMs from container images in SPDX and CycloneDX formats
  • Syft README— Syft documentation for installation and usage
  • SPDX Official Site— SPDX is an ISO standard for software bill of materials
TokRepo 相关
Security toolsDevOps toolsFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

Dependency-Track — Continuous Software Composition Analysis

Dependency-Track is a self-hosted platform that ingests Software Bills of Materials to continuously identify vulnerabilities and license risks across your software portfolio.

Skills
Script Depot

SDKMAN — Software Development Kit Manager for the JVM

SDKMAN is a tool for managing parallel versions of multiple Software Development Kits on Unix-based systems. It provides a convenient CLI to install, switch, remove, and list candidates such as Java, Kotlin, Gradle, Maven, and dozens of other JVM-related tools.

Skills
Script Depot

Concourse — Container-Native CI/CD with Pipelines as Code

Build reliable CI/CD pipelines with Concourse. Every step runs in an isolated container, pipelines are declarative YAML, and the resource model makes dependencies explicit and reproducible.

Skills
Script Depot

V — Fast Compiled Language for Maintainable Software

V is a simple compiled programming language focused on performance, safety, and readable code. It compiles directly to C and offers fast build times with zero dependencies.

Skills
Script Depot
首页🔍搜索👤我的