syft

Syft is a command-line tool written in Go that generates a Software Bill of Materials, commonly called an SBOM, for software you are running or distributing. An SBOM is essentially an inventory list: it catalogs all the packages and libraries bundled inside a container image or a folder of code, along with their versions and where they came from. Having that list makes it much easier to check whether any of those components have known security vulnerabilities.

The tool works by scanning a container image, a directory, or an archive file and detecting what packages are present. It can identify components from a wide range of packaging systems: Alpine Linux packages, Debian packages, RPM packages (used by Red Hat-based Linux distributions), Go modules, Python packages, JavaScript packages, Java JARs, Ruby gems, Rust crates, PHP packages, .NET assemblies, and more. You point it at something you want to inspect and it figures out what is inside.

The output can be written in several standard SBOM formats, including CycloneDX and SPDX, which are the two most widely recognized in the industry. These formats can be read by other security tools. Syft is designed to pair directly with Grype, a separate vulnerability scanner from the same company, which takes a Syft SBOM and checks it against databases of known vulnerabilities.

Running it is straightforward. The command syft alpine:latest scans the Alpine Linux container image and prints what it finds. Adding a format flag like -o cyclonedx-json writes the results as a file instead. The tool can also produce signed SBOM attestations, which are a way to cryptographically prove that a specific SBOM was generated for a specific piece of software.

Syft is developed by Anchore, released under the Apache 2.0 license, and available via Homebrew, Docker, and a curl installer.