syft

module

v1.40.1 Latest Latest Go to latest Published: Jan 15, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/anchore/syft

Links

README ¶

Cute pink owl syft logo

Syft

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

syft-demo

Features

Generates SBOMs for container images, filesystems, archives (see the docs for a full list of supported scan targets)
Supports dozens of packaging ecosystems (e.g. Alpine (apk), Debian (dpkg), RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET, and many more)
Supports OCI, Docker, Singularity, and more image formats
Works seamlessly with Grype for vulnerability scanning
Multiple output formats (CycloneDX, SPDX, Syft JSON, and more) including the ability to convert between SBOM formats
Create signed SBOM attestations using the in-toto specification

[!TIP] New to Syft? Check out the Getting Started guide for a walkthrough!

Installation

The quickest way to get up and going:

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

[!TIP] See Installation docs for more ways to get Syft, including Homebrew, Docker, Scoop, Chocolatey, Nix, and more!

The basics

See the packages within a container image or directory:

# container image
syft alpine:latest

# directory
syft ./my-project

To get an SBOM, specify one or more output formats:

# SBOM to stdout
syft <image> -o cyclonedx-json

# Multiple SBOMs to files
syft <image> -o spdx-json=./spdx.json -o cyclonedx-json=./cdx.json

[!TIP] Check out the Getting Started guide to explore all of the capabilities and features.

Want to know all of the ins-and-outs of Syft? Check out the CLI docs, configuration docs, and JSON schema.

Contributing

We encourage users to help make these tools better by submitting issues when you find a bug or want a new feature. Check out our contributing overview and developer-specific documentation if you are interested in providing code contributions.

Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. The Syft logo by Anchore is licensed under CC BY 4.0

For commercial support options with Syft or Grype, please contact Anchore.

Come talk to us!

The Syft Team holds regular community meetings online. All are welcome to join to bring topics for discussion.

Check the calendar for the next meeting date.
Add items to the agenda (join this group for write access to the agenda)
See you there!

Directories ¶

Path	Synopsis
cmd
syft command
syft/cli
syft/cli/ui
syft/internal
syft/internal/commands
syft/internal/options
syft/internal/ui
examples
create_custom_sbom command
create_simple_sbom command
decode_sbom command
select_catalogers command
source_detection command
source_from_image command
source_from_registry command
internal Package internal contains miscellaneous functions and objects useful within syft but should not be used externally.	Package internal contains miscellaneous functions and objects useful within syft but should not be used externally.
bus Package bus provides access to a singleton instance of an event bus (provided by the calling application).	Package bus provides access to a singleton instance of an event bus (provided by the calling application).
cache
capabilities Package capabilities provides discovery and tracking of cataloger capabilities.	Package capabilities provides discovery and tracking of cataloger capabilities.
capabilities/generate command this file links catalogers to their configuration structs by analyzing constructor function signatures to determine which config struct each cataloger uses.	this file links catalogers to their configuration structs by analyzing constructor function signatures to determine which config struct each cataloger uses.
capabilities/internal this file retrieves the canonical list of cataloger names and their selectors from syft's task factories.	this file retrieves the canonical list of cataloger names and their selectors from syft's task factories.
capabilities/pkgtestobservation
cmptest
evidence
file
jsonschema command
licenses
log Package log contains the singleton object and helper functions for facilitating logging within the syft library.	Package log contains the singleton object and helper functions for facilitating logging within the syft library.
mimetype
os
packagemetadata
packagemetadata/generate command
redact
relationship
relationship/binary
sbomsync
sourcemetadata
sourcemetadata/generate command
spdxlicense Code generated by go generate; DO NOT EDIT.	Code generated by go generate; DO NOT EDIT.
spdxlicense/generate command
task
unknown
syft Package syft is a "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library.	Package syft is a "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library.
artifact
cataloging
cataloging/filecataloging
cataloging/pkgcataloging
cpe
event Package event provides event types for all events that the syft library published onto the event bus.	Package event provides event types for all events that the syft library published onto the event bus.
event/monitor
event/parsers Package parsers provides parser helpers to extract payloads for each event type that the syft library publishes onto the event bus.	Package parsers provides parser helpers to extract payloads for each event type that the syft library publishes onto the event bus.
file
file/cataloger/executable
file/cataloger/filecontent
file/cataloger/filedigest
file/cataloger/filemetadata
file/cataloger/internal
format
format/common/cyclonedxhelpers
format/common/spdxhelpers
format/cpes
format/cyclonedxjson
format/cyclonedxxml
format/github
format/github/internal/model
format/internal
format/internal/cyclonedxutil
format/internal/cyclonedxutil/helpers
format/internal/spdxutil
format/internal/spdxutil/helpers
format/internal/stream
format/internal/testutil
format/purls
format/spdxjson
format/spdxtagvalue
format/syftjson
format/syftjson/model
format/table
format/template
format/text
internal/fileresolver
internal/parsing
internal/testutil
internal/unionreader
internal/windows
license package license provides common methods for working with SPDX license data	package license provides common methods for working with SPDX license data
linux
pkg Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.	Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.
pkg/cataloger
pkg/cataloger/ai Package ai provides concrete Cataloger implementations for AI artifacts and machine learning models, including support for GGUF (GPT-Generated Unified Format) model files.	Package ai provides concrete Cataloger implementations for AI artifacts and machine learning models, including support for GGUF (GPT-Generated Unified Format) model files.
pkg/cataloger/alpine Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.	Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
pkg/cataloger/arch Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.	Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
pkg/cataloger/binary Package binary provides a concrete cataloger implementations for surfacing possible packages based on signatures found within binary files.	Package binary provides a concrete cataloger implementations for surfacing possible packages based on signatures found within binary files.
pkg/cataloger/binary/test-fixtures/manager command
pkg/cataloger/binary/test-fixtures/manager/internal
pkg/cataloger/binary/test-fixtures/manager/internal/cli
pkg/cataloger/binary/test-fixtures/manager/internal/cli/commands
pkg/cataloger/binary/test-fixtures/manager/internal/config
pkg/cataloger/binary/test-fixtures/manager/internal/ui
pkg/cataloger/binary/test-fixtures/manager/testutil
pkg/cataloger/bitnami Package bitnami provides a concrete Cataloger implementation for capturing packages embedded within Bitnami SBOM files.	Package bitnami provides a concrete Cataloger implementation for capturing packages embedded within Bitnami SBOM files.
pkg/cataloger/common/cpe
pkg/cataloger/conda Package conda provides a concrete Cataloger implementation for packages within the Conda ecosystem.	Package conda provides a concrete Cataloger implementation for packages within the Conda ecosystem.
pkg/cataloger/cpp Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.	Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
pkg/cataloger/dart Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.	Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
pkg/cataloger/debian Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.	Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
pkg/cataloger/dotnet
pkg/cataloger/elixir Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.	Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
pkg/cataloger/erlang Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.	Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.
pkg/cataloger/generic
pkg/cataloger/gentoo Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.	Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
pkg/cataloger/githubactions Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).	Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
pkg/cataloger/golang Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.	Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
pkg/cataloger/golang/internal/xcoff
pkg/cataloger/haskell Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.	Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
pkg/cataloger/homebrew
pkg/cataloger/internal/binutils
pkg/cataloger/internal/cpegenerate
pkg/cataloger/internal/cpegenerate/dictionary
pkg/cataloger/internal/cpegenerate/dictionary/index-generator command This program fetches CPE data from the NVD Products API and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.	This program fetches CPE data from the NVD Products API and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
pkg/cataloger/internal/dependency
pkg/cataloger/internal/licenses
pkg/cataloger/internal/pe
pkg/cataloger/internal/pkgtest Package pkgtest provides test helpers for cataloger and parser testing, including automatic observation tracking for capability documentation.	Package pkgtest provides test helpers for cataloger and parser testing, including automatic observation tracking for capability documentation.
pkg/cataloger/java Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.	Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
pkg/cataloger/java/internal/maven
pkg/cataloger/java/internal/maven/test
pkg/cataloger/javascript Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.	Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
pkg/cataloger/kernel Package kernel provides a concrete Cataloger implementation for linux kernel and module files.	Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
pkg/cataloger/lua Package lua provides a concrete Cataloger implementation for packages relating to the Lua language ecosystem.	Package lua provides a concrete Cataloger implementation for packages relating to the Lua language ecosystem.
pkg/cataloger/nix Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.	Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
pkg/cataloger/ocaml Package ocaml provides a concrete Cataloger implementation for packages relating to the OCaml language ecosystem.	Package ocaml provides a concrete Cataloger implementation for packages relating to the OCaml language ecosystem.
pkg/cataloger/php Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.	Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
pkg/cataloger/python Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.	Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
pkg/cataloger/r Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.	Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
pkg/cataloger/redhat Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.	Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
pkg/cataloger/ruby Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.	Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
pkg/cataloger/rust Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.	Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
pkg/cataloger/sbom Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.	Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
pkg/cataloger/snap Package snap provides a concrete Cataloger implementation for snap packages, extracting metadata from different types of snap files (base, kernel, system/gadget, snapd) rather than just scanning the filesystem.	Package snap provides a concrete Cataloger implementation for snap packages, extracting metadata from different types of snap files (base, kernel, system/gadget, snapd) rather than just scanning the filesystem.
pkg/cataloger/swift Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.	Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.
pkg/cataloger/swipl Package swipl provides a Cataloger implementation relating to packages within the SWI Prolog language ecosystem.	Package swipl provides a Cataloger implementation relating to packages within the SWI Prolog language ecosystem.
pkg/cataloger/terraform
pkg/cataloger/wordpress
sbom
source Package source provides an abstraction to allow a user to loosely define a data source to catalog and expose a common interface that catalogers and use explore and analyze data from the data source.	Package source provides an abstraction to allow a user to loosely define a data source to catalog and expose a common interface that catalogers and use explore and analyze data from the data source.
source/directorysource
source/filesource
source/internal
source/snapsource
source/sourceproviders
source/stereoscopesource
testutil

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL