syft

module

v1.11.1 Latest Latest Go to latest Published: Aug 20, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/anchore/syft

Links

Open Source Insights

README ¶

Cute pink owl syft logo

Syft

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

syft-demo

Introduction

Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.

Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. For commercial support options with Syft or Grype, please contact Anchore.

Features

Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
Supports OCI, Docker and Singularity image formats
Linux distribution identification
Works seamlessly with Grype (a fast, modern vulnerability scanner)
Able to create signed SBOM attestations using the in-toto specification
Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format.

Installation

Syft binaries are provided for Linux, macOS and Windows.

Homebrew

brew install syft

Scoop

scoop install syft

Chocolatey

The chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team

choco install syft -y

Nix

Note: Nix packaging of Syft is community maintained. Syft is available in the stable channel since NixOS 22.05.

nix-env -i syft

... or, just try it out in an ephemeral nix shell:

nix-shell -p syft

Getting started

SBOM

To generate an SBOM for a container image:

syft <image>

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft <image> --scope all-layers

Output formats

The output format for Syft is configurable as well using the -o (or --output) option:

syft <image> -o <format>

Where the formats available are:

syft-json: Use this to get as much information out of Syft as possible!
syft-text: A row-oriented, human-and-machine-friendly output.
cyclonedx-xml: A XML report conforming to the CycloneDX 1.6 specification.
cyclonedx-xml@1.5: A XML report conforming to the CycloneDX 1.5 specification.
cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.
cyclonedx-json@1.5: A JSON report conforming to the CycloneDX 1.5 specification.
spdx-tag-value: A tag-value formatted report conforming to the SPDX 2.3 specification.
spdx-tag-value@2.2: A tag-value formatted report conforming to the SPDX 2.2 specification.
spdx-json: A JSON report conforming to the SPDX 2.3 JSON Schema.
spdx-json@2.2: A JSON report conforming to the SPDX 2.2 JSON Schema.
github-json: A JSON report conforming to GitHub's dependency snapshot format.
syft-table: A columnar summary (default).
template: Lets the user specify the output format. See "Using templates" below.

Note that flags using the @ can be used for earlier versions of each specification as well.

Supported Ecosystems

Alpine (apk)
C (conan)
C++ (conan)
Dart (pubs)
Debian (dpkg)
Dotnet (deps.json)
Objective-C (cocoapods)
Elixir (mix)
Erlang (rebar3)
Go (go.mod, Go binaries)
Haskell (cabal, stack)
Java (jar, ear, war, par, sar, nar, native-image)
JavaScript (npm, yarn)
Jenkins Plugins (jpi, hpi)
Linux kernel archives (vmlinz)
Linux kernel modules (ko)
Nix (outputs in /nix/store)
PHP (composer)
Python (wheel, egg, poetry, requirements.txt)
Red Hat (rpm)
Ruby (gem)
Rust (cargo.lock)
Swift (cocoapods, swift-package-manager)
Wordpress plugins

Documentation

Our wiki contains further details on the following topics:

Contributing

Check out our contributing guide and developer docs.

Syft Team Meetings

The Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion.

Check the calendar for the next meeting date.
Add items to the agenda (join this group for write access to the agenda)
See you there!

Directories ¶

Path	Synopsis
cmd
syft
syft/cli
syft/cli/ui
syft/internal
syft/internal/commands
syft/internal/options
syft/internal/ui
examples
create_custom_sbom
create_simple_sbom
decode_sbom
select_catalogers
source_detection
source_from_image
source_from_registry
internal Package internal contains miscellaneous functions and objects useful within syft but should not be used externally.	Package internal contains miscellaneous functions and objects useful within syft but should not be used externally.
bus Package bus provides access to a singleton instance of an event bus (provided by the calling application).	Package bus provides access to a singleton instance of an event bus (provided by the calling application).
cache
cmptest
file
licenses
log Package log contains the singleton object and helper functions for facilitating logging within the syft library.	Package log contains the singleton object and helper functions for facilitating logging within the syft library.
mimetype
redact
relationship
relationship/binary
sbomsync
spdxlicense Code generated by go generate; DO NOT EDIT.	Code generated by go generate; DO NOT EDIT.
spdxlicense/generate
task
syft Package syft is a "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library.	Package syft is a "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library.
artifact
cataloging
cataloging/filecataloging
cataloging/pkgcataloging
cpe
event Package event provides event types for all events that the syft library published onto the event bus.	Package event provides event types for all events that the syft library published onto the event bus.
event/monitor
event/parsers Package parsers provides parser helpers to extract payloads for each event type that the syft library publishes onto the event bus.	Package parsers provides parser helpers to extract payloads for each event type that the syft library publishes onto the event bus.
file
file/cataloger/executable
file/cataloger/filecontent
file/cataloger/filedigest
file/cataloger/filemetadata
file/cataloger/internal
format
format/common/cyclonedxhelpers
format/common/spdxhelpers
format/cyclonedxjson
format/cyclonedxxml
format/github
format/github/internal/model
format/internal/cyclonedxutil
format/internal/cyclonedxutil/helpers
format/internal/spdxutil
format/internal/spdxutil/helpers
format/internal/stream
format/internal/testutil
format/spdxjson
format/spdxtagvalue
format/syftjson
format/syftjson/model
format/table
format/template
format/text
internal
internal/fileresolver
internal/jsonschema
internal/packagemetadata
internal/packagemetadata/generate
internal/parsing
internal/sourcemetadata
internal/sourcemetadata/generate
internal/testutil
internal/unionreader
internal/windows
license package license provides common methods for working with SPDX license data	package license provides common methods for working with SPDX license data
linux
pkg Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.	Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.
pkg/cataloger/alpine Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.	Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
pkg/cataloger/arch Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.	Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
pkg/cataloger/binary Package binary provides a concrete cataloger implementations for surfacing possible packages based on signatures found within binary files.	Package binary provides a concrete cataloger implementations for surfacing possible packages based on signatures found within binary files.
pkg/cataloger/binary/test-fixtures/manager
pkg/cataloger/binary/test-fixtures/manager/internal
pkg/cataloger/binary/test-fixtures/manager/internal/cli
pkg/cataloger/binary/test-fixtures/manager/internal/cli/commands
pkg/cataloger/binary/test-fixtures/manager/internal/config
pkg/cataloger/binary/test-fixtures/manager/internal/ui
pkg/cataloger/binary/test-fixtures/manager/testutil
pkg/cataloger/common/cpe
pkg/cataloger/cpp Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.	Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
pkg/cataloger/dart Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.	Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
pkg/cataloger/debian Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.	Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
pkg/cataloger/dotnet Package dotnet provides a concrete Cataloger implementation relating to packages within the C#/.NET language/runtime ecosystem.	Package dotnet provides a concrete Cataloger implementation relating to packages within the C#/.NET language/runtime ecosystem.
pkg/cataloger/elixir Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.	Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
pkg/cataloger/erlang Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.	Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.
pkg/cataloger/generic
pkg/cataloger/gentoo Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.	Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
pkg/cataloger/githubactions Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).	Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
pkg/cataloger/golang Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.	Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
pkg/cataloger/golang/internal/xcoff
pkg/cataloger/haskell Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.	Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
pkg/cataloger/internal/cpegenerate
pkg/cataloger/internal/cpegenerate/dictionary
pkg/cataloger/internal/cpegenerate/dictionary/index-generator This program downloads the latest CPE dictionary from NIST and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.	This program downloads the latest CPE dictionary from NIST and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
pkg/cataloger/internal/dependency
pkg/cataloger/internal/pkgtest
pkg/cataloger/java Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.	Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
pkg/cataloger/javascript Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.	Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
pkg/cataloger/kernel Package kernel provides a concrete Cataloger implementation for linux kernel and module files.	Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
pkg/cataloger/lua Package lua provides a concrete Cataloger implementation for packages relating to the Lua language ecosystem.	Package lua provides a concrete Cataloger implementation for packages relating to the Lua language ecosystem.
pkg/cataloger/nix Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.	Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
pkg/cataloger/php Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.	Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
pkg/cataloger/python Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.	Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
pkg/cataloger/r Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.	Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
pkg/cataloger/redhat Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.	Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
pkg/cataloger/ruby Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.	Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
pkg/cataloger/rust Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.	Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
pkg/cataloger/sbom Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.	Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
pkg/cataloger/swift Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.	Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.
pkg/cataloger/swipl Package swipl provides a Cataloger implementation relating to packages within the SWI Prolog language ecosystem.	Package swipl provides a Cataloger implementation relating to packages within the SWI Prolog language ecosystem.
pkg/cataloger/wordpress
sbom
source Package source provides an abstraction to allow a user to loosely define a data source to catalog and expose a common interface that catalogers and use explore and analyze data from the data source.	Package source provides an abstraction to allow a user to loosely define a data source to catalog and expose a common interface that catalogers and use explore and analyze data from the data source.
source/directorysource
source/filesource
source/internal
source/sourceproviders
source/stereoscopesource
testutil

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL