syft

Generate software bill of materials from images

TLDR

Generate SBOM for container image

$ syft [alpine:latest]

Generate SBOM in JSON format

$ syft [alpine:latest] -o json

Generate CycloneDX format SBOM

$ syft [alpine:latest] -o cyclonedx-json

Generate SPDX format SBOM

$ syft [alpine:latest] -o spdx-json

Scan a local directory

$ syft dir:[/path/to/project]

Scan a Docker archive

$ syft docker-archive:[image.tar]

Output multiple formats

$ syft [image] -o spdx-json=[sbom.spdx.json] -o cyclonedx-json=[sbom.cdx.json]

SYNOPSIS

syft [source] [options]syft command [options]

syft is a CLI tool for generating Software Bill of Materials (SBOM) from container images and filesystems. It identifies packages, libraries, and dependencies across multiple ecosystems.Supported ecosystems include container images (Docker, OCI, Podman, Singularity), programming languages (Java, Python, JavaScript, Ruby, Go, Rust, .NET), and Linux distributions (Alpine, Debian, RHEL, and more).Output formats include industry standards like CycloneDX and SPDX for compliance requirements, as well as native formats for integration with Anchore tools. Generated SBOMs can be used with vulnerability scanners like Grype.

PARAMETERS

-o, --output format

Output format: syft-table, syft-json, cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, github-json.

-s, --scope scope

Layer selection: squashed (default), all-layers, deep-squashed.

--platform platform

Platform for container images (e.g., linux/arm64).

--source-name name

Set name of target being analyzed.

--source-version version

Set version of target being analyzed.

--file path

Write output to file instead of stdout.

--from source

Explicitly specify the source type (e.g., docker, registry, dir).

-t, --template file

Path to Go template file for custom output.

-q, --quiet

Suppress all logging output.

-v, --verbose

Increase verbosity (-v = info, -vv = debug).

--select-catalogers list

Add, remove, and filter catalogers.

--exclude glob

Exclude paths from scanning (can be repeated).

-c, --config file

Path to configuration file.

-h, --help

Display help information.

--version

Display version information.

SOURCE TYPES

docker:image - Use Docker daemonpodman:image - Use Podman daemonregistry:image - Pull from registry directlydocker-archive:file - Docker save tarballoci-archive:file - OCI archive tarballoci-dir:path - OCI layout directorydir:path - Filesystem directoryfile:path - Single file

CAVEATS

Accuracy depends on package metadata quality in images. Some dynamically linked or vendored dependencies may not be detected. Large images take significant time to scan. Registry authentication may be required for private images.

HISTORY

syft was created by Anchore as an open-source SBOM generation tool. It addresses growing supply chain security requirements and software transparency regulations. The tool supports multiple SBOM standards to meet compliance needs across different industries.