Vulnerability Analysissbomcontainervulnerabilityscanningpackagesocidocker

Syft

CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

Description

Syft is a CLI tool and Go library that generates SBOMs from container images, filesystems, archives, and more to discover packages and libraries. It supports OCI, Docker, and Singularity image formats, performs Linux distribution identification, and works seamlessly with Grype, a fast vulnerability scanner. Additionally, it can create signed SBOM attestations using the in-toto specification and convert between SBOM formats such as CycloneDX, SPDX, and its own format.

Use cases include scanning container images for package inventories to identify potential vulnerabilities, analyzing filesystems for software composition, and generating formatted SBOMs for compliance or security auditing. It pulls images from registries or uses local archives without requiring a container runtime in some modes.

Syft's integration with tools like Grype enables comprehensive vulnerability management workflows, making it valuable for DevSecOps pipelines and container security.

How It Works

Syft scans specified sources such as container images (OCI, Docker, Singularity), filesystems, archives, or directories to catalog packages and libraries, producing a package-based SBOM. It supports schemes like docker:, podman:, registry:, docker-archive:, oci-archive:, oci-dir:, and singularity: for source specification. Outputs are generated in formats including cyclonedx-json, spdx-json, syft-json, and others, with options for enrichment from local/online sources and path exclusions. It identifies Linux distributions and can produce attestations per in-toto specs.

Installation

bash

sudo apt install syft

Flags

--base-path stringbase directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory

-c, --config stringArraysyft configuration file(s) to use

--enrich stringArrayenable package data enrichment from local and online sources (options: all, golang, java, javascript, python)

--exclude stringArrayexclude paths from being scanned using a glob expression

--file stringfile to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)

--from stringArrayspecify the source behavior to use (e.g. docker, registry, oci-dir, ...)

-h, --helphelp for syft

-o, --output stringArrayreport output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])

Examples

a summary of discovered packages

syft scan alpine:latest

show all possible cataloging details

syft scan alpine:latest -o json

show a CycloneDX formatted SBOM

syft scan alpine:latest -o cyclonedx

show a CycloneDX JSON formatted SBOM

syft scan alpine:latest -o cyclonedx-json

show a SPDX 2.3 Tag-Value formatted SBOM

syft scan alpine:latest -o spdx

show a SPDX 2.3 JSON formatted SBOM

syft scan alpine:latest -o spdx-json

explicitly use the Docker daemon

syft scan docker:yourrepo/yourimage:tag

pull image directly from a registry (no container runtime required)

syft scan registry:yourrepo/yourimage:tag

Updated 2026-04-16kali.org ↗