No description
Find a file
Harippriya Sivapatham cc15edca62
fix: use organization for package supplier when reading Java vendor fields (#3093)
Signed-off-by: Harippriya Sivapatham <harippriyasivapatham@gmail.com>
2024-08-03 16:00:55 -04:00
.github chore: update release script to use gh from binny (#3084) 2024-07-31 20:10:17 -04:00
cmd/syft Added the SWI Prolog (swipl) ecosystem (#3076) 2024-07-31 16:13:26 -04:00
examples docs: add simplest example from regsitry (#2691) 2024-03-06 14:25:37 -05:00
internal Added the SWI Prolog (swipl) ecosystem (#3076) 2024-07-31 16:13:26 -04:00
schema Added the SWI Prolog (swipl) ecosystem (#3076) 2024-07-31 16:13:26 -04:00
syft fix: use organization for package supplier when reading Java vendor fields (#3093) 2024-08-03 16:00:55 -04:00
test add signature verification to install.sh (#2941) 2024-06-10 11:29:53 -04:00
.binny.yaml chore(deps): update tools to latest versions (#3091) 2024-08-02 13:25:09 -04:00
.bouncer.yaml chore(deps): update stereoscope to 487b11e5ba2622d976acda10c605da63b4fbbb0a (#3032) 2024-07-18 09:26:01 -07:00
.chronicle.yaml enforce breaking change bump major version (#2635) 2024-02-28 15:48:20 -05:00
.gitignore Internalize majority of cmd package (#2533) 2024-01-24 13:29:51 -05:00
.golangci.yaml feat: add relationships to ELF package discovery (#2715) 2024-05-09 13:53:59 -04:00
.goreleaser.yaml chore(deps): update tools to latest versions (#2940) 2024-06-07 16:55:32 +00:00
artifacthub-repo.yml chore: claim artifacthub package ownership from developer-guy (#881) 2023-01-11 15:25:42 -05:00
CODE_OF_CONDUCT.md docs: CODE_OF_CONDUCT.md (#3046) 2024-07-17 14:33:17 -07:00
CONTRIBUTING.md feat: update golang to 1.19 (#1526) 2023-01-31 11:39:57 -05:00
CONTRIBUTORS.md Add cataloger for Swift Package Manager. (#1919) 2023-07-25 14:35:21 -04:00
DEVELOPING.md Internalize majority of cmd package (#2533) 2024-01-24 13:29:51 -05:00
Dockerfile chore: pin and update all workflow dependencies; add permission scopes (#2138) 2023-09-15 14:18:42 -04:00
Dockerfile.debug chore: pin and update all workflow dependencies; add permission scopes (#2138) 2023-09-15 14:18:42 -04:00
go.mod fix: improve determinism in java archive identification (#3085) 2024-07-30 12:02:52 -04:00
go.sum chore(deps): update stereoscope to 50ce3be7aa1fb8829234ae648215e7907196bfa5 (#3075) 2024-07-29 10:04:46 -04:00
install.sh add signature verification to install.sh (#2941) 2024-06-10 11:29:53 -04:00
LICENSE add apache v2 license 2020-06-24 14:37:00 -04:00
Makefile Upgrade tool management (#2188) 2023-10-25 09:08:43 -04:00
README.md docs: link to contrib/dev docs in readme (#3029) 2024-07-16 06:59:31 -07:00
RELEASE.md switch from trigger-release target to release target (#1560) 2023-02-09 16:35:11 +00:00
SECURITY.md add security policy (#2835) 2024-05-02 14:45:17 +00:00
Taskfile.yaml Restore version file update on release (#2844) 2024-05-06 15:14:43 -04:00

Cute pink owl syft logo

Syft

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

 Validations   Go Report Card   GitHub release   GitHub go.mod Go version   License: Apache-2.0   Slack 

syft-demo

Introduction

Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.

Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. For commercial support options with Syft or Grype, please contact Anchore.

Features

  • Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
  • Supports OCI, Docker and Singularity image formats
  • Linux distribution identification
  • Works seamlessly with Grype (a fast, modern vulnerability scanner)
  • Able to create signed SBOM attestations using the in-toto specification
  • Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format.

Installation

Syft binaries are provided for Linux, macOS and Windows.

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Install script options:

  • -b: Specify a custom installation directory (defaults to ./bin)
  • -d: More verbose logging levels (-d for debug, -dd for trace)
  • -v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

Homebrew

brew install syft

Scoop

scoop install syft

Chocolatey

The chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team

choco install syft -y

Nix

Note: Nix packaging of Syft is community maintained. Syft is available in the stable channel since NixOS 22.05.

nix-env -i syft

... or, just try it out in an ephemeral nix shell:

nix-shell -p syft

Getting started

SBOM

To generate an SBOM for a container image:

syft <image>

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft <image> --scope all-layers

Output formats

The output format for Syft is configurable as well using the -o (or --output) option:

syft <image> -o <format>

Where the formats available are:

Note that flags using the @ can be used for earlier versions of each specification as well.

Supported Ecosystems

  • Alpine (apk)
  • C (conan)
  • C++ (conan)
  • Dart (pubs)
  • Debian (dpkg)
  • Dotnet (deps.json)
  • Objective-C (cocoapods)
  • Elixir (mix)
  • Erlang (rebar3)
  • Go (go.mod, Go binaries)
  • Haskell (cabal, stack)
  • Java (jar, ear, war, par, sar, nar, native-image)
  • JavaScript (npm, yarn)
  • Jenkins Plugins (jpi, hpi)
  • Linux kernel archives (vmlinz)
  • Linux kernel modules (ko)
  • Nix (outputs in /nix/store)
  • PHP (composer)
  • Python (wheel, egg, poetry, requirements.txt)
  • Red Hat (rpm)
  • Ruby (gem)
  • Rust (cargo.lock)
  • Swift (cocoapods, swift-package-manager)
  • Wordpress plugins

Documentation

Our wiki contains further details on the following topics:

Contributing

Check out our contributing guide and developer docs.

Syft Team Meetings

The Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion.