github.com/anchore/syft@v1.38.2/README.md (about) 1 <p align="center"> 2 <img src="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png" width="271" alt="Cute pink owl syft logo"> 3 </p> 4 5 # Syft 6 7 **A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like [Grype](https://github.com/anchore/grype).** 8 9 <p align="center"> 10 <a href="https://github.com/anchore/syft/actions/workflows/validations.yaml" target="_blank"><img alt="Validations" src="https://github.com/anchore/syft/actions/workflows/validations.yaml/badge.svg"></a> 11 <a href="https://goreportcard.com/report/github.com/anchore/syft" target="_blank"><img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/anchore/syft"></a> 12 <a href="https://github.com/anchore/syft/releases/latest" target="_blank"><img alt="GitHub release" src="https://img.shields.io/github/release/anchore/syft.svg"></a> 13 <a href="https://github.com/anchore/syft" target="_blank"><img alt="GitHub go.mod Go version" src="https://img.shields.io/github/go-mod/go-version/anchore/syft.svg"></a> 14 <a href="" target="_blank"><img alt="License: Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"></a> 15 <a href="https://anchore.com/discourse" target="_blank"><img alt="Join our Discourse" src="https://img.shields.io/badge/Discourse-Join-blue?logo=discourse"/></a> 16 <a rel="me" href="https://fosstodon.org/@syft"><img alt="Follow on Mastodon" src="https://img.shields.io/badge/Mastodon-Follow-blue?logoColor=white&logo=mastodon"/></a> 17 </p> 18 19  20 21 ## Introduction 22 23 Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security. 24 25 Syft development is sponsored by [Anchore](https://anchore.com/), and is released under the [Apache-2.0 License](https://github.com/anchore/syft?tab=Apache-2.0-1-ov-file). For commercial support options with Syft or Grype, please [contact Anchore](https://get.anchore.com/contact/). 26 27 ## Features 28 - Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries 29 - Supports OCI, Docker and [Singularity](https://github.com/sylabs/singularity) image formats 30 - Linux distribution identification 31 - Works seamlessly with [Grype](https://github.com/anchore/grype) (a fast, modern vulnerability scanner) 32 - Able to create signed SBOM attestations using the [in-toto specification](https://github.com/in-toto/attestation/blob/main/spec/README.md) 33 - Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format. 34 35 ## Installation 36 37 Syft binaries are provided for Linux, macOS and Windows. 38 39 ### Recommended 40 > ```bash 41 > curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin 42 > ``` 43 44 Install script options: 45 - `-b`: Specify a custom installation directory (defaults to `./bin`) 46 - `-d`: More verbose logging levels (`-d` for debug, `-dd` for trace) 47 - `-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed) 48 49 ### Homebrew 50 ```bash 51 brew install syft 52 ``` 53 54 ### Scoop 55 56 ```powershell 57 scoop install syft 58 ``` 59 60 ### Chocolatey 61 62 The chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team 63 64 ```powershell 65 choco install syft -y 66 ``` 67 68 ### Nix 69 70 **Note**: Nix packaging of Syft is [community maintained](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/sy/syft/package.nix). Syft is available in the [stable channel](https://wiki.nixos.org/wiki/Nix_channels#The_official_channels) since NixOS `22.05`. 71 72 ```bash 73 nix-env -i syft 74 ``` 75 76 ... or, just try it out in an ephemeral nix shell: 77 78 ```bash 79 nix-shell -p syft 80 ``` 81 82 ## Getting started 83 84 ### SBOM 85 86 To generate an SBOM for a container image: 87 88 ```bash 89 syft <image> 90 ``` 91 92 The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide `--scope all-layers`: 93 94 ```bash 95 syft <image> --scope all-layers 96 ``` 97 98 ### Output formats 99 100 The output format for Syft is configurable as well using the `-o` (or `--output`) option: 101 102 ``` 103 syft <image> -o <format> 104 ``` 105 106 Where the `formats` available are: 107 - `syft-json`: Use this to get as much information out of Syft as possible! 108 - `syft-text`: A row-oriented, human-and-machine-friendly output. 109 - `cyclonedx-xml`: An XML report conforming to the [CycloneDX 1.6 specification](https://cyclonedx.org/specification/overview/). 110 - `cyclonedx-xml@1.5`: An XML report conforming to the [CycloneDX 1.5 specification](https://cyclonedx.org/specification/overview/). 111 - `cyclonedx-json`: A JSON report conforming to the [CycloneDX 1.6 specification](https://cyclonedx.org/specification/overview/). 112 - `cyclonedx-json@1.5`: A JSON report conforming to the [CycloneDX 1.5 specification](https://cyclonedx.org/specification/overview/). 113 - `spdx-tag-value`: A tag-value formatted report conforming to the [SPDX 2.3 specification](https://spdx.github.io/spdx-spec/v2.3/). 114 - `spdx-tag-value@2.2`: A tag-value formatted report conforming to the [SPDX 2.2 specification](https://spdx.github.io/spdx-spec/v2.2.2/). 115 - `spdx-json`: A JSON report conforming to the [SPDX 2.3 JSON Schema](https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json). 116 - `spdx-json@2.2`: A JSON report conforming to the [SPDX 2.2 JSON Schema](https://github.com/spdx/spdx-spec/blob/v2.2/schemas/spdx-schema.json). 117 - `github-json`: A JSON report conforming to GitHub's dependency snapshot format. 118 - `syft-table`: A columnar summary (default). 119 - `template`: Lets the user specify the output format. See ["Using templates"](https://github.com/anchore/syft/wiki/using-templates) below. 120 121 Note that flags using the @<version> can be used for earlier versions of each specification as well. 122 123 ### Supported Ecosystems 124 125 - Alpine (apk) 126 - Bitnami packages 127 - C (conan) 128 - C++ (conan) 129 - Dart (pubs) 130 - Debian (dpkg) 131 - Dotnet (deps.json) 132 - Objective-C (cocoapods) 133 - Elixir (mix) 134 - Erlang (rebar3) 135 - Go (go.mod, Go binaries) 136 - GitHub (workflows, actions) 137 - Haskell (cabal, stack) 138 - Java (jar, ear, war, par, sar, nar, rar, native-image) 139 - JavaScript (npm, yarn) 140 - Jenkins Plugins (jpi, hpi) 141 - Linux kernel archives (vmlinz) 142 - Linux kernel modules (ko) 143 - Nix (outputs in /nix/store) 144 - PHP (composer, PECL, Pear) 145 - Python (wheel, egg, poetry, requirements.txt, uv) 146 - Red Hat (rpm) 147 - Ruby (gem) 148 - Rust (cargo.lock, auditable binary) 149 - Swift (cocoapods, swift-package-manager) 150 - Wordpress plugins 151 - Terraform providers (.terraform.lock.hcl) 152 153 ## Documentation 154 155 Our [wiki](https://github.com/anchore/syft/wiki) contains further details on the following topics: 156 157 * [Supported Sources](https://github.com/anchore/syft/wiki/supported-sources) 158 * [File Selection](https://github.com/anchore/syft/wiki/file-selection) 159 * [Excluding file paths](https://github.com/anchore/syft/wiki/excluding-file-paths) 160 * [Output formats](https://github.com/anchore/syft/wiki/output-formats) 161 * [Package Cataloger Selection](https://github.com/anchore/syft/wiki/package-cataloger-selection) 162 * [Concepts](https://github.com/anchore/syft/wiki/package-cataloger-selection#concepts) 163 * [Examples](https://github.com/anchore/syft/wiki/package-cataloger-selection#examples) 164 * [Using templates](https://github.com/anchore/syft/wiki/using-templates) 165 * [Multiple outputs](https://github.com/anchore/syft/wiki/multiple-outputs) 166 * [Private Registry Authentication](https://github.com/anchore/syft/wiki/private-registry-authentication) 167 * [Local Docker Credentials](https://github.com/anchore/syft/wiki/private-registry-authentication#local-docker) 168 * [Docker Credentials in Kubernetes](https://github.com/anchore/syft/wiki/private-registry-authentication#docker-credentials-in-kubernetes) 169 * [Attestation (experimental)](https://github.com/anchore/syft/wiki/attestation) 170 * [Keyless Support](https://github.com/anchore/syft/wiki/attestation#keyless-support) 171 * [Local private key support](https://github.com/anchore/syft/wiki/attestation#local-private-key-support) 172 * [Adding an SBOM to an image as an attestation using Syft](https://github.com/anchore/syft/wiki/attestation#adding-an-sbom-to-an-image-as-an-attestation-using-syft) 173 * [Configuration](https://github.com/anchore/syft/wiki/configuration) 174 175 ## Contributing 176 177 Check out our [contributing](/CONTRIBUTING.md) guide and [developer](/DEVELOPING.md) docs. 178 179 ## Syft Team Meetings 180 181 The Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion. 182 - Check the [calendar](https://calendar.google.com/calendar/u/0/r?cid=Y182OTM4dGt0MjRtajI0NnNzOThiaGtnM29qNEBncm91cC5jYWxlbmRhci5nb29nbGUuY29t) for the next meeting date. 183 - Add items to the [agenda](https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit?usp=sharing) (join [this group](https://groups.google.com/g/anchore-oss-community) for write access to the [agenda](https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit?usp=sharing)) 184 - See you there! 185 186 ## Syft Logo 187 188 <p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://anchore.com/wp-content/uploads/2024/11/syft-logo.svg">Syft Logo</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://anchore.com/">Anchore</a> is licensed under <a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="license noopener noreferrer" style="display:inline-block;">CC BY 4.0<img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" alt=""><img style="height:22px!important;margin-left:3px;vertical-align:text-bottom;" src="https://mirrors.creativecommons.org/presskit/icons/by.svg" alt=""></a></p>