No description
Find a file
Alex Goodman f9d49885ae
simplify MatchNamedCaptureGroups implementation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-12 17:11:43 -04:00
.github ignore failures on benchmark sticky comment 2021-03-29 11:59:49 -04:00
cmd wire up file classifier to power-user cmd 2021-04-12 17:08:50 -04:00
internal simplify MatchNamedCaptureGroups implementation 2021-04-12 17:11:43 -04:00
schema update json schema + presenter snapshots with file classification section 2021-04-12 17:11:40 -04:00
syft add missing file classification test fixtures + gitignore adjustment 2021-04-12 17:11:43 -04:00
test Add secrets search capability (#367) 2021-04-01 21:34:15 +00:00
ui Add secrets search capability (#367) 2021-04-01 21:34:15 +00:00
.bouncer.yaml Add package URL support to the CycloneDX presenter (#164) 2020-08-30 21:40:19 -04:00
.gitignore update pipeline with new levels of testing 2021-03-22 10:58:07 -04:00
.golangci.yaml Disable lint rule prealloc 2020-12-23 11:35:49 -05:00
.goreleaser.yaml upgrade goreleaser + constrain pipeline tool cache 2021-03-23 06:58:30 -04:00
CONTRIBUTING.md docs: add contributing guidelines 2020-08-10 14:15:07 -04:00
Dockerfile add labels to the docker image + pin the docker pipeline install version 2021-03-18 16:28:03 -04:00
go.mod bump stereoscope ; pull in fix to ensure credentials are not HTML encoded 2021-04-05 14:20:49 -04:00
go.sum bump stereoscope ; pull in fix to ensure credentials are not HTML encoded 2021-04-05 14:20:49 -04:00
gon.hcl Revert "Add docker image and refactor release pipeline (#310)" 2021-03-11 12:42:18 -05:00
install.sh Avoid Finder window flash during install 2020-11-11 12:38:11 -05:00
LICENSE add apache v2 license 2020-06-24 14:37:00 -04:00
main.go Improve overall documentation (#148) 2020-08-13 16:34:32 -04:00
Makefile move docker login after keychain creation 2021-03-26 10:41:44 -04:00
README.md add documentation for the file classifier cataloger config options 2021-04-12 17:11:43 -04:00
RELEASE.md enable release environment (manual approval for releases) 2021-03-25 12:01:20 -04:00

syft

Validations Go Report Card GitHub release License: Apache-2.0

A CLI tool and go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

syft-demo

Features

  • Catalog container images and filesystems to discover packages and libraries.
  • Supports packages and libraries from various ecosystems (APK, DEB, RPM, Ruby Bundles, Python Wheel/Egg/requirements.txt, JavaScript NPM/Yarn, Java JAR/EAR/WAR, Jenkins plugins JPI/HPI, Go modules)
  • Linux distribution identification (supports Alpine, BusyBox, CentOS/RedHat, Debian/Ubuntu flavored distributions)
  • Supports Docker and OCI image formats

If you encounter an issue, please let us know using the issue tracker.

Getting started

To generate an SBOM for a Docker or OCI image:

syft <image>

Note: This is equivalent to specifying the packages subcommand:

syft packages <image>

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft packages <image> --scope all-layers

Syft can generate a SBOM from a variety of sources:

# catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
syft packages path/to/image.tar

# catalog a directory
syft packages path/to/dir

The output format for Syft is configurable as well:

syft packages <image> -o <format>

Where the formats available are:

  • json: Use this to get as much information out of Syft as possible!
  • text: A row-oriented, human-and-machine-friendly output.
  • cyclonedx: A XML report conforming to the CycloneDX 1.2 specification.
  • table: A columnar summary (default).

Installation

Recommended (macOS and Linux)

# install the latest version to /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# install a specific version into a specific dir
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b <SOME_BIN_PATH> <RELEASE_VERSION>

Homebrew (macOS)

brew tap anchore/syft
brew install syft

Configuration

Configuration search paths:

  • .syft.yaml
  • .syft/config.yaml
  • ~/.syft.yaml
  • <XDG_CONFIG_HOME>/syft/config.yaml

Configuration options (example values are the default):

# the output format of the SBOM report (options: table, text, json)
# same as -o ; SYFT_OUTPUT env var
output: "table"

# suppress all output (except for the SBOM report)
# same as -q ; SYFT_QUIET env var
quiet: false

# enable/disable checking for application updates on startup
# same as SYFT_CHECK_FOR_APP_UPDATE env var
check-for-app-update: true

# cataloging packages is exposed through the packages and power-user subcommands
package:
  cataloger:
    # enable/disable cataloging of packages
    # SYFT_PACKAGE_CATALOGER_ENABLED env var
    enabled: true
    
    # the search space to look for packages (options: all-layers, squashed)
    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
    scope: "squashed"

# cataloging file classifications is exposed through the power-user subcommand
file-classification:
  cataloger:
    # enable/disable cataloging of file classifications
    # SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for file classifications (options: all-layers, squashed)
    # SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE env var
    scope: "squashed"

# cataloging file metadata is exposed through the power-user subcommand
file-metadata:
  cataloger:
    # enable/disable cataloging of file metadata
    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
    enabled: true
    
    # the search space to look for file metadata (options: all-layers, squashed)
    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
    scope: "squashed"
  
  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
  # SYFT_FILE_METADATA_DIGESTS env var
  digests: ["sha256"]

# cataloging secrets is exposed through the power-user subcommand
secrets:
  cataloger:
    # enable/disable cataloging of secrets
    # SYFT_SECRETS_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for secrets (options: all-layers, squashed)
    # SYFT_SECRETS_CATALOGER_SCOPE env var
    scope: "all-layers"

  # show extracted secret values in the final JSON report
  # SYFT_SECRETS_REVEAL_VALUES env var
  reveal-values: false

  # skip searching a file entirely if it is above the given size (default = 10MB; unit = bytes)
  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
  skip-files-above-size: 10485760

  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the 
  # "value" named capture group.
  additional-patterns: {}

  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key", 
  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the 
  # "secrets.additional-patterns" config option.
  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
  exclude-pattern-names: []

log:
  # use structured logging
  # same as SYFT_LOG_STRUCTURED env var
  structured: false

  # the log level; note: detailed logging suppress the ETUI
  # same as SYFT_LOG_LEVEL env var
  level: "error"

  # location to write the log file (default is not to have a log file)
  # same as SYFT_LOG_FILE env var
  file: ""

# uploading package SBOM is exposed through the packages subcommand
anchore:
  # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+)
  # same as -H ; SYFT_ANCHORE_HOST env var
  host: ""

  # (feature-preview) the path after the host to the Anchore External API (supported on Enterprise 3.0+)
  # same as SYFT_ANCHORE_PATH env var
  path: ""

  # (feature-preview) the username to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
  # same as -u ; SYFT_ANCHORE_USERNAME env var
  username: ""

  # (feature-preview) the password to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
  # same as -p ; SYFT_ANCHORE_PASSWORD env var
  password: ""

  # (feature-preview) path to dockerfile to be uploaded with the syft results to Anchore Enterprise (supported on Enterprise 3.0+)
  # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
  dockerfile: ""