Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Syft

What is the purpose of Syft?

Syft is an open-source command-line tool from Anchore used to generate Software Bill of Materials (SBOM) documents from container images, filesystems, archives, directories, and individual files. It identifies packages, package metadata, dependency manifests, operating system packages, language ecosystems, and other software inventory details.

Syft is useful because it gives teams a repeatable way to create SBOMs in standard formats such as CycloneDX and SPDX, as well as Syft's native JSON format. It is commonly used in CI/CD pipelines, container build workflows, vulnerability management programs, software supply-chain reviews, and artifact inventory processes.

Note: Syft generates SBOMs; it does not primarily act as a vulnerability scanner. Use Syft to produce the inventory, then use tools such as Grype, Trivy, Dependency-Track, or enterprise platforms to analyze that inventory for vulnerabilities, policy violations, and risk.

Here are the primary uses of Syft:

Container Image SBOM Generation: Syft can catalog packages inside container images from Docker, Podman, registries, Docker archives, OCI archives, OCI directories, and Singularity images.
Filesystem and Source Directory Inventory: The tool can scan local application directories, build outputs, dependency manifests, and single files to create a software inventory before or after packaging.
Standard SBOM Export: Syft can generate CycloneDX JSON/XML, SPDX JSON/tag-value, GitHub dependency snapshot JSON, Syft JSON, Syft table, Syft text, PURL lists, and template output.
SBOM Conversion: The tool can convert between supported SBOM formats, which helps teams adapt one inventory source to multiple downstream systems.
Supply-Chain Attestation: Syft can generate an SBOM as an in-toto attestation for container image workflows when signing and registry workflows are in scope.
Cataloger Control: The tool can list catalogers and select, exclude, or override catalogers to tune how package discovery runs for different targets.
CI/CD Artifact Documentation: Syft can write multiple SBOM formats in one command, set source metadata, run quietly, and produce machine-readable output for automation.

Core Features

SBOM Generation
Container Image Cataloging
Filesystem Cataloging
Directory Scanning
File Scanning
Docker Image Source Support
Podman Image Source Support
Registry Image Source Support
Docker Archive Support
OCI Archive Support
OCI Directory Support
Singularity Image Support
OCI Model Artifact Support
CycloneDX JSON Output
CycloneDX XML Output
SPDX JSON Output
SPDX Tag-Value Output
GitHub Dependency Snapshot Output
Syft JSON Output
Syft Table Output
Syft Text Output
PURL Output
Template Output
Multiple Output Files
SBOM Format Conversion
In-Toto Attestation Output
Registry Login
Cataloger Listing
Cataloger Selection
Cataloger Override
Layer Scope Selection
Platform Selection
Path Exclusion
Base Path Control
Source Metadata Control
Package Data Enrichment
Configuration File Support
Quiet and Verbose Modes

Data sources

Container Images
Docker Daemon Images
Podman Images
Registry Images
Docker Archive Tar Files
OCI Archive Tar Files
OCI Layout Directories
Singularity SIF Images
OCI Model Registry Artifacts
Local Directories
Local Files
Root Filesystems
Package Manifests
Lockfiles
OS Package Databases
Language Package Metadata
Binary Package Metadata
Java Archives
Node.js Package Files
Python Package Files
Go Module Files
Ruby Gem Files
Rust Cargo Files
PHP Composer Files
.NET Project Files
SPDX SBOM Files
CycloneDX SBOM Files
Syft JSON SBOM Files
Registry Credentials
Syft Configuration Files

Common Syft Commands

1. Install Syft with the Official Script

This command installs Syft as a single compiled executable.

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

2. Install Syft with Homebrew

This command installs Syft on macOS or Linux using Homebrew.

brew install syft

3. Install Syft with Winget

This command installs Syft on Windows using Winget.

winget install Anchore.Syft

4. Check Syft Version

This command prints Syft version information.

syft version

5. Check Syft Version as JSON

This command prints version information in JSON format.

syft version -o json

6. Show Global Help

This command displays Syft commands and global options.

syft --help

7. Show Scan Help

This command displays options for SBOM generation.

syft scan --help

8. Generate a Basic Image SBOM

This command scans a container image and prints the default table output.

syft scan alpine:latest

9. Generate a Detailed Syft JSON SBOM

This command writes Syft's native JSON SBOM format to a file.

syft scan alpine:latest -o syft-json=alpine.syft.json

10. Generate a CycloneDX JSON SBOM

This command writes a CycloneDX JSON SBOM.

syft scan alpine:latest -o cyclonedx-json=alpine.cdx.json

11. Generate a CycloneDX XML SBOM

This command writes a CycloneDX XML SBOM.

syft scan alpine:latest -o cyclonedx-xml=alpine.cdx.xml

12. Generate an SPDX JSON SBOM

This command writes an SPDX JSON SBOM.

syft scan alpine:latest -o spdx-json=alpine.spdx.json

13. Generate an SPDX Tag-Value SBOM

This command writes an SPDX tag-value SBOM.

syft scan alpine:latest -o spdx-tag-value=alpine.spdx

14. Generate Multiple SBOM Formats

This command writes Syft JSON, CycloneDX JSON, and SPDX JSON in one scan.

syft scan alpine:latest -o syft-json=alpine.syft.json -o cyclonedx-json=alpine.cdx.json -o spdx-json=alpine.spdx.json

15. Generate a GitHub Dependency Snapshot

This command writes GitHub dependency snapshot JSON.

syft scan . -o github-json=github-dependency-snapshot.json

16. Generate a PURL List

This command prints package URLs for discovered packages.

syft scan alpine:latest -o purls

17. Generate Human-Readable Text Output

This command prints a row-oriented text report.

syft scan alpine:latest -o syft-text

18. Scan a Local Directory

This command scans the current working directory as a filesystem target.

syft scan dir:.

19. Scan a Local Directory Without an Explicit Scheme

This command scans a project path using Syft's automatic source detection.

syft scan ./app

20. Scan a Single File

This command scans one file as the source.

syft scan file:package-lock.json

21. Scan a Registry Image Directly

This command pulls metadata from a registry without requiring a local container runtime.

syft scan registry:nginx:1.25 -o cyclonedx-json=nginx.cdx.json

22. Scan a Docker Daemon Image

This command explicitly uses the Docker daemon as the source.

syft scan docker:nginx:1.25

23. Scan a Podman Image

This command explicitly uses Podman as the source.

syft scan podman:nginx:1.25

24. Scan a Docker Archive

This command scans an image tar file created with docker save.

syft scan docker-archive:image.tar -o syft-json=image.syft.json

25. Scan an OCI Archive

This command scans an OCI archive tar file.

syft scan oci-archive:image-oci.tar -o cyclonedx-json=image.cdx.json

26. Scan an OCI Directory

This command scans an OCI layout directory from disk.

syft scan oci-dir:path/to/oci-layout

27. Scan a Singularity Image

This command scans a Singularity Image Format file.

syft scan singularity:path/to/image.sif

28. Scan an OCI Model Artifact

This command scans an OCI model artifact from a registry.

syft scan oci-model-registry:ai/llama3.2

29. Select a Container Platform

This command scans the selected platform variant of a multi-architecture image.

syft scan registry:nginx:1.25 --platform linux/amd64

30. Scan All Image Layers

This command catalogs all image layers instead of only the squashed final filesystem.

syft scan nginx:1.25 --scope all-layers

31. Use Deep Squashed Scope

This command uses deep squashed layer selection for image cataloging.

syft scan nginx:1.25 --scope deep-squashed

32. Exclude Paths

This command excludes matching paths from the scan.

syft scan dir:. --exclude "**/node_modules/**" --exclude "**/.git/**"

33. Set a Base Path

This command reports paths relative to a selected base directory and prevents following links above it.

syft scan dir:/workspace/app --base-path /workspace/app

34. List Catalogers

This command lists available catalogers.

syft cataloger list

35. List Catalogers as JSON

This command prints cataloger metadata as JSON.

syft cataloger list -o json

36. Select Specific Catalogers

This command limits package discovery to selected catalogers.

syft scan dir:. --select-catalogers npm-package,python-package

37. Override Default Catalogers

This command replaces the default cataloger set for the scan.

syft scan dir:. --override-default-catalogers all

38. Enrich Package Metadata

This command enables package data enrichment from selected ecosystems.

syft scan dir:. --enrich java,javascript,python

39. Set Source Metadata

This command sets SBOM source name, version, and supplier metadata.

syft scan dir:. --source-name api-service --source-version 1.2.3 --source-supplier "Example Corp" -o cyclonedx-json=api-service.cdx.json

40. Use a Syft Configuration File

This command runs Syft with a selected configuration file.

syft scan dir:. --config syft.yaml

41. Show Syft Configuration

This command prints the effective Syft configuration.

syft config

42. Show Configuration File Locations

This command shows the locations Syft checks for configuration files.

syft config locations

43. Convert Syft JSON to CycloneDX JSON

This command converts a Syft SBOM into CycloneDX JSON.

syft convert alpine.syft.json -o cyclonedx-json=alpine.cdx.json

44. Convert an SBOM from Standard Input

This command reads an SBOM from standard input and converts it to SPDX JSON.

cat alpine.syft.json | syft convert - -o spdx-json=alpine.spdx.json

45. Use a Template Output

This command renders an SBOM with a custom Go template.

syft scan alpine:latest -o template -t sbom.tmpl

46. Log in to a Private Registry

This command stores credentials for pulling private images.

syft login registry.example.com -u scanner -p 'P@ssw0rd'

47. Log in with Password from Standard Input

This command avoids putting the registry password directly in the command line.

printf '%s' "$REGISTRY_PASSWORD" | syft login registry.example.com -u scanner --password-stdin

48. Generate an SBOM Attestation

This command generates an SBOM as an attestation for a container image.

syft attest --output cyclonedx-json registry:example.com/app/api:1.0.0

49. Generate an Attestation with a Key

This command signs or keys the attestation workflow with a selected key where configured.

syft attest --output syft-json --key cosign.key registry:example.com/app/api:1.0.0

50. Run Quietly in CI

This command suppresses logging and writes only the selected SBOM output file.

syft scan dir:. -q -o cyclonedx-json=sbom.cdx.json

51. Run with Debug Logging

This command increases verbosity for troubleshooting cataloging behavior.

syft scan alpine:latest -vv

52. Set Parallelism

This command controls the number of cataloger workers.

syft scan dir:. --parallelism 4

Output Examples

Command	Description	Example Output
`syft version`	Shows Syft version information.	`Application: syft` `Version: 1.42.3`
`syft scan alpine:latest`	Generates a default table SBOM.	`NAME VERSION TYPE` `alpine-baselayout 3.6.8 apk`
`syft scan alpine:latest -o syft-json=alpine.syft.json`	Writes native Syft JSON.	`alpine.syft.json written`
`syft scan alpine:latest -o cyclonedx-json=alpine.cdx.json`	Writes CycloneDX JSON.	`alpine.cdx.json written`
`syft scan alpine:latest -o spdx-json=alpine.spdx.json`	Writes SPDX JSON.	`alpine.spdx.json written`
`syft scan dir:.`	Scans a local directory.	`package.json npm` `requirements.txt python`
`syft cataloger list`	Lists available catalogers.	`apk-db-cataloger` `npm-package-cataloger`
`syft convert alpine.syft.json -o cyclonedx-json=alpine.cdx.json`	Converts SBOM formats.	`alpine.cdx.json written`
`syft login registry.example.com -u scanner -p 'P@ssw0rd'`	Authenticates to a registry.	`Login Succeeded`
`syft scan dir:. -o purls`	Prints package URLs.	`pkg:npm/express@4.18.2`

Want to Practice These Techniques?

Syft

What is the purpose of Syft?​

Core Features​

Data sources​

Common Syft Commands​

1. Install Syft with the Official Script​

2. Install Syft with Homebrew​

3. Install Syft with Winget​

4. Check Syft Version​

5. Check Syft Version as JSON​

6. Show Global Help​

7. Show Scan Help​

8. Generate a Basic Image SBOM​

9. Generate a Detailed Syft JSON SBOM​

10. Generate a CycloneDX JSON SBOM​

11. Generate a CycloneDX XML SBOM​

12. Generate an SPDX JSON SBOM​

13. Generate an SPDX Tag-Value SBOM​

14. Generate Multiple SBOM Formats​

15. Generate a GitHub Dependency Snapshot​

16. Generate a PURL List​

17. Generate Human-Readable Text Output​

18. Scan a Local Directory​

19. Scan a Local Directory Without an Explicit Scheme​

20. Scan a Single File​

21. Scan a Registry Image Directly​

22. Scan a Docker Daemon Image​

23. Scan a Podman Image​

24. Scan a Docker Archive​

25. Scan an OCI Archive​

26. Scan an OCI Directory​

27. Scan a Singularity Image​

28. Scan an OCI Model Artifact​

29. Select a Container Platform​

30. Scan All Image Layers​

31. Use Deep Squashed Scope​

32. Exclude Paths​

33. Set a Base Path​

34. List Catalogers​

35. List Catalogers as JSON​

36. Select Specific Catalogers​

37. Override Default Catalogers​

38. Enrich Package Metadata​

39. Set Source Metadata​

40. Use a Syft Configuration File​

41. Show Syft Configuration​

42. Show Configuration File Locations​

43. Convert Syft JSON to CycloneDX JSON​

44. Convert an SBOM from Standard Input​

45. Use a Template Output​

46. Log in to a Private Registry​

47. Log in with Password from Standard Input​

48. Generate an SBOM Attestation​

49. Generate an Attestation with a Key​

50. Run Quietly in CI​

51. Run with Debug Logging​

52. Set Parallelism​

Output Examples​