syft

TLDR

Generate SBOM for container image

$ syft [alpine:latest]

Generate SBOM in JSON format

$ syft [alpine:latest] -o json

Generate CycloneDX format SBOM

$ syft [alpine:latest] -o cyclonedx-json

Generate SPDX format SBOM

$ syft [alpine:latest] -o spdx-json

Scan a local directory

$ syft dir:[/path/to/project]

Scan a Docker archive

$ syft docker-archive:[image.tar]

Output multiple formats

$ syft [image] -o spdx-json=[sbom.spdx.json] -o cyclonedx-json=[sbom.cdx.json]

SYNOPSIS

syft [source] [options]
syft command [options]

syft is a CLI tool for generating Software Bill of Materials (SBOM) from container images and filesystems. It identifies packages, libraries, and dependencies across multiple ecosystems.
Supported ecosystems include container images (Docker, OCI, Podman, Singularity), programming languages (Java, Python, JavaScript, Ruby, Go, Rust, .NET), and Linux distributions (Alpine, Debian, RHEL, and more).
Output formats include industry standards like CycloneDX and SPDX for compliance requirements, as well as native formats for integration with Anchore tools. Generated SBOMs can be used with vulnerability scanners like Grype.

PARAMETERS

-o, --output format

Output format: syft-table, syft-json, cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, github-json.

-s, --scope scope

Layer selection: squashed (default), all-layers, deep-squashed.

--platform platform

Platform for container images (e.g., linux/arm64).

--source-name name

Set name of target being analyzed.

--source-version version

Set version of target being analyzed.

-t, --template file

Path to Go template file for custom output.

-q, --quiet

Suppress all logging output.

-v, --verbose

Increase verbosity (-v = info, -vv = debug).

--select-catalogers list

Add, remove, and filter catalogers.

-c, --config file

Path to configuration file.

-h, --help

Display help information.

--version

Display version information.

SOURCE TYPES

docker:image - Use Docker daemon
podman:image - Use Podman daemon
registry:image - Pull from registry directly
docker-archive:file - Docker save tarball
oci-archive:file - OCI archive tarball
oci-dir:path - OCI layout directory
dir:path - Filesystem directory
file:path - Single file

CAVEATS

Accuracy depends on package metadata quality in images. Some dynamically linked or vendored dependencies may not be detected. Large images take significant time to scan. Registry authentication may be required for private images.

HISTORY

syft was created by Anchore as an open-source SBOM generation tool. It addresses growing supply chain security requirements and software transparency regulations. The tool supports multiple SBOM standards to meet compliance needs across different industries.