Syft

Syft

github.com

1

About this website

Syft is a CLI tool and library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Developed by Anchore (a container security company), Syft has over 6,400 stars as of 2026 and has become the de facto standard tool for SBOM generation in cloud-native and DevSecOps workflows. Syft analyzes container images, files, and archives to identify the packages (libraries, dependencies, and modules) they contain, along with versions, licenses, and metadata. Key features include: support for over 30 ecosystem package types (including Python pip, Node.js npm, Ruby gems, Java JAR/Maven, Go modules, Rust crates, PHP composer, .NET NuGet, C/C++ libraries, Debian dpkg, RPM, Alpine apk, Jenkins plugins, and many more), multiple SBOM output formats (CycloneDX JSON/XML, SPDX JSON/TagValue, Syft JSON, and Syft Table format for human readability), filesystem scanning (analyzing directories and archives in addition to Docker/OCI images), OS package detection (identifying OS-level packages from dpkg, RPM, and apk databases embedded in container images), language ecosystem detection (identifying packages from language-specific package managers and lock files like package-lock.json, requirements.txt, go.mod, Cargo.toml, and Gemfile.lock), license detection (identifying SPDX license identifiers for packages by analyzing license files), package hash and digest computation, vulnerability scanning integration (feeding SBOMs to Grype or other vulnerability scanners for CVE matching), JSON output for automation and CI/CD integration, config file support (.syft.yaml for default options), attestations (generating in-toto attestations for supply chain security via SLSA framework), and cataloger configuration (enabling/disabling specific package catalogers for performance optimization). Syft is written in Go.

Tags & Categories

Categories

Tags

Statistics

1
Views
0
Clicks
0
Like
0
Dislike

Comments

Log In to post a comment

No comments yet. Be the first!