{"id":13460004,"url":"https://github.com/anchore/syft","last_synced_at":"2025-05-12T22:26:46.606Z","repository":{"id":37078587,"uuid":"262126497","full_name":"anchore/syft","owner":"anchore","description":"CLI tool and library for generating a Software Bill of Materials from container images and filesystems","archived":false,"fork":false,"pushed_at":"2025-05-12T17:33:24.000Z","size":21293,"stargazers_count":6955,"open_issues_count":422,"forks_count":647,"subscribers_count":61,"default_branch":"main","last_synced_at":"2025-05-12T17:53:36.073Z","etag":null,"topics":["containers","cyclonedx","docker","go","golang","hacktoberfest","oci","sbom","spdx","static-analysis","tool"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anchore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-05-07T18:19:29.000Z","updated_at":"2025-05-12T17:33:29.000Z","dependencies_parsed_at":"2023-12-20T09:43:51.606Z","dependency_job_id":"3d1fd421-c43b-4d60-87a0-71ec0266d70f","html_url":"https://github.com/anchore/syft","commit_stats":{"total_commits":2000,"total_committers":156,"mean_commits":"12.820512820512821","dds":0.8125,"last_synced_commit":"fe0b78b7fe73b92ad76deed288d3b9b091a14d27"},"previous_names":["anchore/imgbom"],"tags_count":223,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fsyft","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fsyft/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fsyft/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fsyft/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anchore","download_url":"https://codeload.github.com/anchore/syft/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253832324,"owners_count":21971243,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","cyclonedx","docker","go","golang","hacktoberfest","oci","sbom","spdx","static-analysis","tool"],"created_at":"2024-07-31T10:00:33.766Z","updated_at":"2025-05-12T22:26:46.564Z","avatar_url":"https://github.com/anchore.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png\" width=\"271\" alt=\"Cute pink owl syft logo\"\u003e\n\u003c/p\u003e\n\n# Syft\n\n**A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like [Grype](https://github.com/anchore/grype).**\n\n\u003cp align=\"center\"\u003e\n \u0026nbsp;\u003ca href=\"https://github.com/anchore/syft/actions/workflows/validations.yaml\" target=\"_blank\"\u003e\u003cimg alt=\"Validations\" src=\"https://github.com/anchore/syft/actions/workflows/validations.yaml/badge.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://goreportcard.com/report/github.com/anchore/syft\" target=\"_blank\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/anchore/syft\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://github.com/anchore/syft/releases/latest\" target=\"_blank\"\u003e\u003cimg alt=\"GitHub release\" src=\"https://img.shields.io/github/release/anchore/syft.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://github.com/anchore/syft\" target=\"_blank\"\u003e\u003cimg alt=\"GitHub go.mod Go version\" src=\"https://img.shields.io/github/go-mod/go-version/anchore/syft.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"\" target=\"_blank\"\u003e\u003cimg alt=\"License: Apache-2.0\" src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://anchore.com/discourse\" target=\"_blank\"\u003e\u003cimg alt=\"Join our Discourse\" src=\"https://img.shields.io/badge/Discourse-Join-blue?logo=discourse\"/\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca rel=\"me\" href=\"https://fosstodon.org/@syft\"\u003e\u003cimg alt=\"Follow on Mastodon\" src=\"https://img.shields.io/badge/Mastodon-Follow-blue?logoColor=white\u0026logo=mastodon\"/\u003e\u003c/a\u003e\u0026nbsp;\n\u003c/p\u003e\n\n![syft-demo](https://user-images.githubusercontent.com/590471/90277200-2a253000-de33-11ea-893f-32c219eea11a.gif)\n\n## Introduction\n\nSyft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.\n\nSyft development is sponsored by [Anchore](https://anchore.com/), and is released under the [Apache-2.0 License](https://github.com/anchore/syft?tab=Apache-2.0-1-ov-file). For commercial support options with Syft or Grype, please [contact Anchore](https://get.anchore.com/contact/).\n\n## Features\n- Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries\n- Supports OCI, Docker and [Singularity](https://github.com/sylabs/singularity) image formats\n- Linux distribution identification\n- Works seamlessly with [Grype](https://github.com/anchore/grype) (a fast, modern vulnerability scanner)\n- Able to create signed SBOM attestations using the [in-toto specification](https://github.com/in-toto/attestation/blob/main/spec/README.md)\n- Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format.\n\n## Installation\n\nSyft binaries are provided for Linux, macOS and Windows.\n\n### Recommended\n\u003e ```bash \n\u003e curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin\n\u003e ```\n\nInstall script options:\n-\t`-b`: Specify a custom installation directory (defaults to `./bin`)\n-\t`-d`: More verbose logging levels (`-d` for debug, `-dd` for trace)\n-\t`-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed)\n\n### Homebrew\n```bash\nbrew install syft\n```\n\n### Scoop\n\n```powershell\nscoop install syft\n```\n\n### Chocolatey\n\nThe chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team\n\n```powershell\nchoco install syft -y\n```\n\n### Nix\n\n**Note**: Nix packaging of Syft is [community maintained](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/sy/syft/package.nix). Syft is available in the [stable channel](https://wiki.nixos.org/wiki/Nix_channels#The_official_channels) since NixOS `22.05`.\n\n```bash\nnix-env -i syft\n```\n\n... or, just try it out in an ephemeral nix shell:\n\n```bash\nnix-shell -p syft\n```\n\n## Getting started\n\n### SBOM\n\nTo generate an SBOM for a container image:\n\n```bash\nsyft \u003cimage\u003e\n```\n\nThe above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide `--scope all-layers`:\n\n```bash\nsyft \u003cimage\u003e --scope all-layers\n```\n\n### Output formats\n\nThe output format for Syft is configurable as well using the `-o` (or `--output`) option:\n\n```\nsyft \u003cimage\u003e -o \u003cformat\u003e\n```\n\nWhere the `formats` available are:\n- `syft-json`: Use this to get as much information out of Syft as possible!\n- `syft-text`: A row-oriented, human-and-machine-friendly output.\n- `cyclonedx-xml`: A XML report conforming to the [CycloneDX 1.6 specification](https://cyclonedx.org/specification/overview/).\n- `cyclonedx-xml@1.5`: A XML report conforming to the [CycloneDX 1.5 specification](https://cyclonedx.org/specification/overview/).\n- `cyclonedx-json`: A JSON report conforming to the [CycloneDX 1.6 specification](https://cyclonedx.org/specification/overview/).\n- `cyclonedx-json@1.5`: A JSON report conforming to the [CycloneDX 1.5 specification](https://cyclonedx.org/specification/overview/).\n- `spdx-tag-value`: A tag-value formatted report conforming to the [SPDX 2.3 specification](https://spdx.github.io/spdx-spec/v2.3/).\n- `spdx-tag-value@2.2`: A tag-value formatted report conforming to the [SPDX 2.2 specification](https://spdx.github.io/spdx-spec/v2.2.2/).\n- `spdx-json`: A JSON report conforming to the [SPDX 2.3 JSON Schema](https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json).\n- `spdx-json@2.2`: A JSON report conforming to the [SPDX 2.2 JSON Schema](https://github.com/spdx/spdx-spec/blob/v2.2/schemas/spdx-schema.json).\n- `github-json`: A JSON report conforming to GitHub's dependency snapshot format.\n- `syft-table`: A columnar summary (default).\n- `template`: Lets the user specify the output format. See [\"Using templates\"](#using-templates) below.\n\nNote that flags using the @\u003cversion\u003e can be used for earlier versions of each specification as well.\n\n### Supported Ecosystems\n\n- Alpine (apk)\n- Bitnami packages\n- C (conan)\n- C++ (conan)\n- Dart (pubs)\n- Debian (dpkg)\n- Dotnet (deps.json)\n- Objective-C (cocoapods)\n- Elixir (mix)\n- Erlang (rebar3)\n- Go (go.mod, Go binaries)\n- Haskell (cabal, stack)\n- Java (jar, ear, war, par, sar, nar, native-image)\n- JavaScript (npm, yarn)\n- Jenkins Plugins (jpi, hpi)\n- Linux kernel archives (vmlinz)\n- Linux kernel modules (ko)\n- Nix (outputs in /nix/store)\n- PHP (composer, PECL, Pear)\n- Python (wheel, egg, poetry, requirements.txt)\n- Red Hat (rpm)\n- Ruby (gem)\n- Rust (cargo.lock, auditable binary)\n- Swift (cocoapods, swift-package-manager)\n- Wordpress plugins\n- Terraform providers (.terraform.lock.hcl)\n\n## Documentation\n\nOur [wiki](https://github.com/anchore/syft/wiki) contains further details on the following topics:\n\n* [Supported Sources](https://github.com/anchore/syft/wiki/supported-sources)\n* [File Selection](https://github.com/anchore/syft/wiki/file-selection)\n* [Excluding file paths](https://github.com/anchore/syft/wiki/excluding-file-paths)\n* [Output formats](https://github.com/anchore/syft/wiki/output-formats)\n* [Package Cataloger Selection](https://github.com/anchore/syft/wiki/package-cataloger-selection) \n  * [Concepts](https://github.com/anchore/syft/wiki/package-cataloger-selection#concepts)\n  * [Examples](https://github.com/anchore/syft/wiki/package-cataloger-selection#examples)\n* [Using templates](https://github.com/anchore/syft/wiki/using-templates)\n* [Multiple outputs](https://github.com/anchore/syft/wiki/multiple-outputs)\n* [Private Registry Authentication](https://github.com/anchore/syft/wiki/private-registry-authentication)\n  * [Local Docker Credentials](https://github.com/anchore/syft/wiki/private-registry-authentication#local-docker)\n  * [Docker Credentials in Kubernetes](https://github.com/anchore/syft/wiki/private-registry-authentication#docker-credentials-in-kubernetes)\n* [Attestation (experimental)](https://github.com/anchore/syft/wiki/attestation)\n  * [Keyless Support](https://github.com/anchore/syft/wiki/attestation#keyless-support)\n  * [Local private key support](https://github.com/anchore/syft/wiki/attestation#local-private-key-support)\n  * [Adding an SBOM to an image as an attestation using Syft](https://github.com/anchore/syft/wiki/attestation#adding-an-sbom-to-an-image-as-an-attestation-using-syft)\n* [Configuration](https://github.com/anchore/syft/wiki/configuration)\n\n## Contributing\n\nCheck out our [contributing](/CONTRIBUTING.md) guide and [developer](/DEVELOPING.md) docs.\n\n## Syft Team Meetings\n\nThe Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion. \n- Check the [calendar](https://calendar.google.com/calendar/u/0/r?cid=Y182OTM4dGt0MjRtajI0NnNzOThiaGtnM29qNEBncm91cC5jYWxlbmRhci5nb29nbGUuY29t) for the next meeting date. \n- Add items to the [agenda](https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit?usp=sharing) (join [this group](https://groups.google.com/g/anchore-oss-community) for write access to the [agenda](https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit?usp=sharing))\n- See you there!\n\n## Syft Logo\n\n\u003cp xmlns:cc=\"http://creativecommons.org/ns#\" xmlns:dct=\"http://purl.org/dc/terms/\"\u003e\u003ca property=\"dct:title\" rel=\"cc:attributionURL\" href=\"https://anchore.com/wp-content/uploads/2024/11/syft-logo.svg\"\u003eSyft Logo\u003c/a\u003e by \u003ca rel=\"cc:attributionURL dct:creator\" property=\"cc:attributionName\" href=\"https://anchore.com/\"\u003eAnchore\u003c/a\u003e is licensed under \u003ca href=\"https://creativecommons.org/licenses/by/4.0/\" target=\"_blank\" rel=\"license noopener noreferrer\" style=\"display:inline-block;\"\u003eCC BY 4.0\u003cimg style=\"height:22px!important;margin-left:3px;vertical-align:text-bottom;\" src=\"https://mirrors.creativecommons.org/presskit/icons/cc.svg\" alt=\"\"\u003e\u003cimg style=\"height:22px!important;margin-left:3px;vertical-align:text-bottom;\" src=\"https://mirrors.creativecommons.org/presskit/icons/by.svg\" alt=\"\"\u003e\u003c/a\u003e\u003c/p\u003e\n","funding_links":[],"categories":["Go","Evidence Automation","Package Management","Security \u0026 Compliance","OSS and Dependency management","Container Tools","Dependency intelligence","Software Tools","Software Bill of Materials","语言资源库","蓝队工具","OSS CLIs","Security","static-analysis","hacktoberfest","Инструменты","Container Operations","Official projects","Golden Path","Repositories","📦 Containers","工具：覆盖攻防全流程的实用利器","Tools","容器管理与运维 (Container Operations)","SBOM Generation","包管理"],"sub_categories":["Syft","HTTP Clients","MultiCloud Governance","SCA and SBOM","Firmware Supply Chain and SBOM","go","IAC(Infrastructure-as-Code)扫描","Software Supply Chain Security","Сканеры Docker образов","Security","Repositories","2. 容器扫描（检测镜像/容器中的风险）","SCM Security \u0026 Software Supply Chain Tools","安全 (Security)","HTTP客户端"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fsyft","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanchore%2Fsyft","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fsyft/lists"}