Syft
- Generates SBOMs for container images, filesystems, archives (see the docs for a full list of supported scan targets)
- Supports dozens of packaging ecosystems (e.g. Alpine (apk), Debian (dpkg), RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET, and many more)
- Supports OCI, Docker, Singularity, and more image formats
- Works seamlessly with Grype for vulnerability scanning
- Multiple output formats (CycloneDX, SPDX, Syft JSON, and more) including the ability to convert between SBOM formats
- Create signed SBOM attestations using the in-toto specification
Installation Instructions
Linux
Linux
Download Syft
{
"url": "{{ .SVar `.tool.syft.download.url` }}",
"destination_folder": "{{ .PDownloads }}",
"output_filename": "{{ .SVar `.tool.syft.download.filename` }}",
"overwrite": false
}Extract Syft Release
{
"destination": "{{ .PTools }}/syft/{{ .SVar `.tool.syft.download.version` }}",
"max_file_size": 0,
"skip_symlinks": false,
"preserve_permissions": true,
"remove_existing": true,
"source": "{{ .PDownloads }}/{{ .SVar `.tool.syft.download.filename` }}"
}
MacOS
MacOS
Download Syft
{
"url": "{{ .SVar `.tool.syft.download.url` }}",
"destination_folder": "{{ .PDownloads }}",
"output_filename": "{{ .SVar `.tool.syft.download.filename` }}",
"overwrite": false
}Extract Syft Release
{
"destination": "{{ .PTools }}/syft/{{ .SVar `.tool.syft.download.version` }}",
"max_file_size": 0,
"skip_symlinks": false,
"preserve_permissions": true,
"remove_existing": true,
"source": "{{ .PDownloads }}/{{ .SVar `.tool.syft.download.filename` }}"
}Binaries
- syft