This is the multi-page printable view of this section. Click here to print.
Anchore Open Source Software (OSS) is a suite of tools for Software Bill of Materials (SBOM) Generation, Vulnerability Scanning, and License Scanning.
Start by going to the project overview of Anchore OSS to learn more about the basic concepts and functions.
Step-by-step guides for common use cases:
Or checkout the Reference section for CLI and configuration details.
Interested in contributing to Anchore OSS?
Check out the contribution guides for how to get started!
We maintain three popular command-line tools, some libraries, and supporting utilities. Most are written in Go, with a few in Python. They are all released under the Apache-2.0 license. For the full list, see our GitHub org.
Anchore’s tools follow a simple workflow: search and raise up evidence in the form of a Software Bill of Materials (SBOM) using Syft, then analyze that SBOM with Grype for security vulnerabilities and Grant for open source license compliance.
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#f8fafc','primaryTextColor':'#1e293b','primaryBorderColor':'#cbd5e1','lineColor':'#94a3b8','secondaryColor':'#f8fafc','tertiaryColor':'#f8fafc'}}}%%
graph LR
software["📦 Your Software<br/><small>Container Images<br/>Filesystems<br/>Archives</small>"]
syft["🔍 Syft<br/><small>SBOM Generator</small>"]
sbom@{ shape: doc, label: "📋 SBOM<br/><small>Software Bill<br/>of Materials</small>"}
grype["🛡️ Grype<br/><small>Vulnerability<br/>Scanner</small>"]
grant["⚖️ Grant<br/><small>License<br/>Scanner</small>"]
vulns@{ shape: doc, label: "Security Report<br/><small>CVE findings</small>"}
licenses@{ shape: doc, label: "License Report<br/><small>Compliance info</small>"}
software -.->|scan| syft
syft -->|generates| sbom
sbom -->|analyze| grype
sbom -->|analyze| grant
grype -->|produces| vulns
grant -->|produces| licenses
classDef inputStyle fill:#f8fafc,stroke:#cbd5e1,stroke-width:2px,stroke-dasharray: 5 5,color:#64748b
classDef syftStyle fill:#fdf4ff,stroke:#e879f9,stroke-width:2px,color:#6b21a8
classDef grypleStyle fill:#eff6ff,stroke:#3b82f6,stroke-width:2px,color:#1e3a8a
classDef grantStyle fill:#f0fdf4,stroke:#00b388,stroke-width:2px,color:#065f46
classDef docStyle fill:#ffffff,stroke:#cbd5e1,stroke-width:1px,color:#475569
class software inputStyle
class syft syftStyle
class grype grypleStyle
class grant grantStyle
class sbom,vulns,licenses docStyleThis modular approach lets you generate the SBOM once with Syft, then use Grype and Grant independently to scan for different types of risk.
Syft
Syft (pronounced like sift) is an open-source command-line tool and Go library. Its primary function is to scan container images, file systems, and archives to automatically generate a Software Bill of Materials, making it easier to understand the composition of software.
Grype
Grype (rhymes with hype) is an open-source vulnerability scanner specifically designed to analyze container images and filesystems. It works by comparing the software components it finds against a database of known vulnerabilities, providing a report of potential risks so they can be addressed.
Grant
Grant is an open-source command-line tool designed to discover and report on the software licenses present in container images, SBOM documents, or filesystems. It helps users understand the licenses of their software dependencies and can check them against user-defined policies to ensure compliance.
Any of the tools can be installed with:
curl -sSfL https://get.anchore.io/TOOLNAME | sudo sh -s -- -b /usr/local/bin
However, there are additional installation options for each tool, so see the individual pages for more information.
The Anchore OSS team publish official source archives and binary builds of Syft for Linux, macOS and Windows. There are also numerous community-maintained builds of the tools for different platforms.
Syft binaries are provided for Linux, macOS and Windows.
curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
Install script options:
-b: Specify a custom installation directory (defaults to ./bin)-d: More verbose logging levels (-d for debug, -dd for trace)-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)Syft checks for new versions on launch. It will print a message at the end of the output if the version in use is not the latest.
A newer version of syft is available for download: 1.20.0 (installed version is 1.19.2)
docker pull anchore/syft
.deb or .rpm, install them using your package managersyft binary to a folder in your path such as /usr/local/binapk add syft
Thanks to Michał Polański for maintaining this package.
brew tap anchore/syft
brew install syft
Thanks to the Syft community for maintaining this package.
sudo apt install syft
Thanks to Sophie Brun for maintaining this package.
Syft is available in the stable channel since NixOS 22.05.
nix-env -i syft
Alternatively, just try it out in an ephemeral nix shell.
nix-shell -p syft
winget install Anchore.syft
Thanks to Alan Pope for maintaining this package.
scoop bucket add main
scoop install main/syft
snap install syft
Thanks to Alan Pope for maintaining this package.
The Anchore OSS team publish official source archives and binary builds of Grype for Linux, macOS and Windows. There are also numerous community-maintained builds of the tools for different platforms.
Grype binaries are provided for Linux, macOS and Windows.
curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin
Install script options:
-b: Specify a custom installation directory (defaults to ./bin)-d: More verbose logging levels (-d for debug, -dd for trace)-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)Grype checks for new versions on launch. It will print a message at the end of the output if the version in use is not the latest.
A newer version of grype is available for download: 0.92.0 (installed version is 0.91.2)
docker pull anchore/grype
.deb or .rpm, install them using your package managergrype binary to a folder in your path such as /usr/local/binsudo pacman -S grype-bin
brew tap anchore/grype
brew install grype
sudo port install grype
winget install Anchore.Grype
scoop bucket add main
scoop install main/grype
snap install grype
The Anchore OSS team publish official source archives and binary builds for Linux and macOS. There are also some community-maintained builds of the tools for different platforms.
Grant binaries are provided for Linux and macOS.
curl -sSfL https://get.anchore.io/grant | sudo sh -s -- -b /usr/local/bin
Install script options:
-b: Specify a custom installation directory (defaults to ./bin)-d: More verbose logging levels (-d for debug, -dd for trace)-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed).deb or .rpm, install them using your package managergrant binary to a folder in your path such as /usr/local/binbrew tap anchore/grant
brew install grant
Verifying your downloads ensures that:
All release artifacts include checksums, and the checksum file itself is cryptographically signed using cosign for verification.
-v flag if you have cosign installed. This performs the same verification steps outlined below.Before verifying downloads, you need:
Note: Checksum verification doesn’t require additional tools beyond your operating system’s built-in utilities.
This method verifies that your download is both authentic (from Anchore) and hasn’t been tampered with.
Download your tool binary and the verification files from the appropriate GitHub releases page:
You’ll need:
syft_1.23.1_darwin_arm64.tar.gz)checksums.txtchecksums.txt.pemchecksums.txt.sigUse cosign to verify the checksum file’s signature:
cosign verify-blob <path to checksums.txt> \
--certificate <path to checksums.txt.pem> \
--signature <path to checksums.txt.sig> \
--certificate-identity-regexp 'https://github\.com/anchore/<tool-name>/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
Replace <tool-name> with syft, grype, or grant depending on which tool you’re verifying.
Expected output on success:
Verified OK
Once the signature is confirmed as valid, verify that the SHA256 checksum matches your downloaded file:
sha256sum --ignore-missing -c checksums.txt
Expected output on success:
<your-binary-file>: OK
Here’s a complete example verifying Syft v1.23.1 for macOS ARM64:
Download the files:
# Download the binary
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_darwin_arm64.tar.gz
# Download verification files
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt.pem
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt.sig
Verify the signature:
cosign verify-blob ./syft_1.23.1_checksums.txt \
--certificate ./syft_1.23.1_checksums.txt.pem \
--signature ./syft_1.23.1_checksums.txt.sig \
--certificate-identity-regexp 'https://github\.com/anchore/syft/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
Output:
Verified OK
Verify the checksum:
sha256sum --ignore-missing -c syft_1.23.1_checksums.txt
Output:
syft_1.23.1_darwin_arm64.tar.gz: OK
If you can’t use cosign, you can verify checksums manually. This verifies file integrity but not authenticity.
Download your tool binary and the checksums file:
# Example for Syft v1.23.1
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_darwin_arm64.tar.gz
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt
sha256sum --ignore-missing -c syft_1.23.1_checksums.txt
Expected output:
syft_1.23.1_darwin_arm64.tar.gz: OK
If cosign verification fails, check these common issues:
syft, grype, or grant) in the certificate identity patternIf the checksum verification fails:
macOS:
sha256sum, use shasum -a 256 insteadshasum -a 256 syft_1.23.1_darwin_arm64.tar.gzWindows:
Use PowerShell’s Get-FileHash command:
Get-FileHash .\syft_1.23.1_windows_amd64.zip -Algorithm SHA256
If you’re still having issues:
A Software Bill of Materials (SBOM) is a detailed list of all libraries and components that make up software.
For developers, it’s crucial for tracking dependencies, identifying vulnerabilities, and ensuring license compliance.
For organizations, it provides transparency into the software supply chain to assess security risks.
Syft is a CLI tool for generating an SBOM from container images and filesystems.
Syft is provided as a single compiled executable and requires no external dependencies to run. Run the command for your platform to download the latest release.
curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/binbrew install syftnuget install Anchore.SyftCheck out installation guide for full list of official and community-maintained packaging options.
Run syft against a small container image; the output will be a simple human-readable table of the installed packages found:
syft alpine:latest
NAME VERSION TYPE
alpine-baselayout 3.6.8-r1 apk
alpine-baselayout-data 3.6.8-r1 apk
alpine-keys 2.5-r0 apk
alpine-release 3.21.3-r0 apk
apk-tools 2.14.6-r3 apk
busybox 1.37.0-r12 apk
busybox-binsh 1.37.0-r12 apk
...
This command will display the human-readable table and write SBOMs in both SPDX and CycloneDX formats, the two primary industry standards.
syft alpine:latest \ # what we're scanning
-o table \ # a human-readable table to stdout
-o spdx-json=alpine.spdx.json \ # SPDX-JSON formatted SBOM to a file
-o cyclonedx-json=alpine.cdx.json # CycloneDX-JSON formatted SBOM to a file
The same table will be displayed, and two SBOM files will be created in the current directory.
We can use jq to extract specific package data from the SBOM files (by default Syft outputs JSON on a single line,
but you can enable pretty-printing with the SYFT_FORMAT_PRETTY=true environment variable).
Both formats structure package information differently:
SPDX format:
jq '.packages[].name' alpine.spdx.json
CycloneDX format:
jq '.components[].name' alpine.cdx.json
Both commands show the packages that Syft found in the container image:
"alpine-baselayout"
"alpine-baselayout-data"
"alpine-keys"
"alpine-release"
"apk-tools"
"busybox"
"busybox-binsh"
...
By default, Syft shows only software visible in the final container image (the “squashed” representation).
To include software from all image layers, regardless of its presence in the final image, use --scope all-layers:
syft <image> --scope all-layers
Does Syft need internet access?
Only for downloading container images. By default, scanning works offline.
What about private container registries?
Syft supports authentication for private registries. See Private Registries.
Can I use Syft in CI/CD pipelines?
Absolutely! Syft is designed for automation. Generate SBOMs during builds and scan them for vulnerabilities.
What data does Syft send externally?
Nothing. Syft runs entirely locally and doesn’t send any data to external services.
Now that you’ve generated your first SBOM, here are additional resources:
syft <target>--from <type> to explicitly specify scan target type (e.g., --from registry to bypass local daemons)Syft can generate an SBOM from a variety of scan targets including container images, directories, files, and archives. In most cases, you can simply point Syft at what you want to analyze and it will automatically detect and catalog it correctly.
Catalog a container image from your local daemon or a remote registry:
syft alpine:latest
Catalog a directory (useful for analyzing source code or installed applications):
syft /path/to/project
Catalog a container image archive:
syft image.tar
To explicitly specify the scan target type, use the --from flag:
--from ARG | Description |
|---|---|
docker | Use images from the Docker daemon |
podman | Use images from the Podman daemon |
containerd | Use images from the Containerd daemon |
docker-archive | Use a tarball from disk for archives created from docker save |
oci-archive | Use a tarball from disk for OCI archives (from Skopeo or otherwise) |
oci-dir | Read directly from a path on disk for OCI layout directories (from Skopeo or otherwise) |
singularity | Read directly from a Singularity Image Format (SIF) container file on disk |
dir | Read directly from a path on disk (any directory) |
file | Read directly from a path on disk (any single file) |
registry | Pull image directly from a registry (bypass any container runtimes) |
Instead of using the --from flag explicitly, you can instead:
provide no hint and let Syft automatically detect the scan target type implicitly based on the input provided
provide the scan target type as a URI scheme in the target argument (e.g., docker:alpine:latest, oci-archive:/path/to/image.tar, dir:/path/to/dir)
When working with container images, Syft applies the following defaults and behaviors:
alpine:latest instead of docker.io/alpine:latest), Syft assumes docker.iolinux/amd64 manifest by default.
Use the --platform flag to target a different platform.When you provide an image reference without specifying a scan target type (i.e. no --from flag), Syft attempts to resolve the image using the following scan targets in order:
For example, when you run syft alpine:latest, Syft will first check your local Docker daemon for the image.
If Docker isn’t available, it tries Podman, then Containerd, and finally attempts to pull directly from the registry.
You can override this default behavior with the default-image-pull-source configuration option to always prefer a specific scan target.
See Configuration for more details.
When you provide a directory path as the scan target, Syft recursively scans the directory tree to catalog installed software packages and files.
When you point Syft at a directory (especially system directories like /), it automatically skips certain filesystem types to improve
scan performance and avoid indexing areas that don’t contain installed software packages.
proc / procfs - Virtual filesystem for process informationsysfs - Virtual filesystem for kernel and device informationdevfs / devtmpfs / udev - Device filesystemstmpfs filesystems are only skipped when mounted at these specific locations:
/dev - Device files/sys - System information/run and /var/run - Runtime data and process IDs/var/lock - Lock filesThese paths are excluded because they contain virtual or temporary runtime data rather than installed software packages. Skipping them significantly improves scan performance and enables you to catalog entire system root directories without getting stuck scanning thousands of irrelevant entries.
Syft identifies these filesystems by reading your system’s mount table (/proc/self/mountinfo on Linux).
When a directory matches one of these criteria, the entire directory tree under that mount point is skipped.
These file types are never indexed during directory scans:
Regular files, directories, and symbolic links are always processed.
Syft automatically detects and unpacks common archive formats, then catalogs their contents.
If an archive is a container image archive (from docker save or skopeo copy), Syft treats it as a container image.
Supported archive formats:
Standard archives:
.zip.tar (uncompressed).rar (read-only extraction)Compressed tar variants:
.tar.gz / .tgz.tar.bz2 / .tbz2.tar.br / .tbr (brotli).tar.lz4 / .tlz4.tar.sz / .tsz (snappy).tar.xz / .txz.tar.zst / .tzst (zstandard)Standalone compression formats (extracted if containing tar):
.gz (gzip).bz2 (bzip2).br (brotli).lz4.sz (snappy).xz.zst / .zstd (zstandard)Syft automatically detects OCI archive and directory structures (including OCI layouts and SIF files) and catalogs them accordingly.
OCI archives and layouts are particularly useful for CI/CD pipelines, as they allow you to catalog images, scan for vulnerabilities, or perform other checks without publishing to a registry. This provides a powerful pattern for build-time gating.
OCI archive from an image:
skopeo copy \
docker://alpine@sha256:eafc1edb577d2e9b458664a15f23ea1c370214193226069eb22921169fc7e43f \
oci-archive:alpine.tar
OCI layout directory from an image:
skopeo copy \
docker://alpine@sha256:eafc1edb577d2e9b458664a15f23ea1c370214193226069eb22921169fc7e43f \
oci:alpine
Container image archive from an image:
docker save -o alpine.tar alpine:latest
When using container runtime scan targets (Docker, Podman, or Containerd):
docker login) or have credentials configured for direct registry access. See Authentication with Private Registries for more details.Syft respects the following environment variables for each container runtime:
| Scan Target | Environment Variables | Description |
|---|---|---|
| Docker | DOCKER_HOST | Docker daemon socket/host address (supports ssh:// for remote connections) |
DOCKER_TLS_VERIFY | Enable TLS verification (auto-sets DOCKER_CERT_PATH if not set) | |
DOCKER_CERT_PATH | Path to TLS certificates (defaults to ~/.docker if DOCKER_TLS_VERIFY is set) | |
DOCKER_CONFIG | Override default Docker config directory | |
| Podman | CONTAINER_HOST | Podman socket/host address (e.g., unix:///run/podman/podman.sock or ssh://user@host/path/to/socket) |
CONTAINER_SSHKEY | SSH identity file path for remote Podman connections | |
CONTAINER_PASSPHRASE | Passphrase for the SSH key | |
| Containerd | CONTAINERD_ADDRESS | Containerd socket address (overrides default /run/containerd/containerd.sock) |
CONTAINERD_NAMESPACE | Containerd namespace (defaults to default) |
Unlike Docker Desktop, which typically auto-starts, Podman requires explicitly starting the service.
Syft attempts to connect to Podman using the following methods in order:
Unix Socket (primary)
CONTAINER_HOST environment variable firstand/run/podman/podman.sock`)SSH (fallback)
CONTAINER_HOST, CONTAINER_SSHKEY, and CONTAINER_PASSPHRASE environment variablesThe registry scan target bypasses container runtimes entirely and pulls images directly from the registry.
Credentials are resolved in the following order:
~/.docker/config.json if they existIf Syft reports an image doesn’t exist but you know it’s available:
docker images, podman images, or nerdctl images to see where the image exists--from docker, --from podman, or --from containerd to target the correct daemon--from registry to bypass local daemons and pull directlyIf you get authentication errors when scanning private images:
docker login registry.example.com)~/.docker/config.json or use environment variables (see Private Registries)If Syft can’t connect to Podman:
podman system service to start the Podman socket$XDG_RUNTIME_DIR/podman/podman.sock or /run/podman/podman.sockCONTAINER_HOST to point to your Podman socket locationIf scanning a directory takes too long:
/ includes all mounted filesystems; consider scanning specific application directories insteadAdditional resources:
-o <format>:table (default)json (complete data)spdx-json/spdx-tag-valuecyclonedx-json/cyclonedx-xml-o json=sbom.json-o flagsSyft supports multiple output formats to fit different workflows and requirements by using the -o (or --output) flag:
syft <image> -o <format>
-o ARG | Description |
|---|---|
table | A columnar summary (default) |
json | Native output for Syft—use this to get as much information out of Syft as possible! (see the JSON schema) |
purls | A line-separated list of Package URLs (PURLs) for all discovered packages |
github-json | A JSON report conforming to GitHub’s dependency snapshot format |
template | Lets you specify a custom output format via Go templates (see Templates for more detail) |
text | A row-oriented, human-and-machine-friendly output |
CycloneDX is an OWASP-maintained industry standard SBOM format.
-o ARG | Description |
|---|---|
cyclonedx-json | A JSON report conforming to the CycloneDX specification |
cyclonedx-xml | An XML report conforming to the CycloneDX specification |
SPDX (Software Package Data Exchange) is an ISO/IEC 5962:2021 industry standard SBOM format.
-o ARG | Description |
|---|---|
spdx-json | A JSON report conforming to the SPDX JSON Schema |
spdx-tag-value | A tag-value formatted report conforming to the SPDX specification |
Some output formats support multiple schema versions. Specify a version by appending @<version> to the format name:
syft <source> -o <format>@<version>
Examples:
# Use CycloneDX JSON version 1.4
syft <source> -o cyclonedx-json@1.4
# Use SPDX JSON version 2.2
syft <source> -o spdx-json@2.2
# Default to latest version if not specified
syft <source> -o cyclonedx-json
Formats with version support:
1.2, 1.3, 1.4, 1.5, 1.61.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.62.2, 2.32.1, 2.2, 2.3When no version is specified, Syft uses the latest supported version of the format.
NAME VERSION TYPE
busybox 1.37.0 binary
{
"artifacts": [
{
"id": "fe44cee3fe279dfa",
"name": "busybox",
"version": "1.37.0",
"type": "binary",
"foundBy": "binary-classifier-cataloger",
"locations": [
{
"path": "/bin/[",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05",
"accessPath": "/bin/busybox",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "",
"cpes": [
{
"cpe": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*",
"source": "nvd-cpe-dictionary"
}
],
"purl": "pkg:generic/busybox@1.37.0",
"metadataType": "binary-signature",
"metadata": {
"matches": [
{
"classifier": "busybox-binary",
"location": {
"path": "/bin/[",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05",
"accessPath": "/bin/busybox",
"annotations": {
"evidence": "primary"
}
}
}
]
}
}
],
"artifactRelationships": [
{
"parent": "396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b",
"child": "fe44cee3fe279dfa",
"type": "contains"
},
{
"parent": "fe44cee3fe279dfa",
"child": "3a6b3df220691408",
"type": "evident-by",
"metadata": {
"kind": "primary"
}
}
],
"files": [
{
"id": "3a6b3df220691408",
"location": {
"path": "/bin/[",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"metadata": {
"mode": 755,
"type": "RegularFile",
"userID": 0,
"groupID": 0,
"mimeType": "application/x-sharedlib",
"size": 1119808
},
"digests": [
{
"algorithm": "sha1",
"value": "5231d5d79cb52f3581f9c137396e7d9df7aa6d6b"
},
{
"algorithm": "sha256",
"value": "f19470457088612bc3285404783d9f93533d917e869050aca13a4139b937c0a5"
}
],
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["libm.so.6", "libresolv.so.2", "libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "partial",
"pie": true,
"dso": true,
"safeStack": false
}
}
},
{
"id": "eab1ede6d517d844",
"location": {
"path": "/bin/getconf",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": true,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "9c61e609f3b76f4a",
"location": {
"path": "/lib/ld-linux-aarch64.so.1",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": [],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "456b7910a9499337",
"location": {
"path": "/lib/libc.so.6",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["ld-linux-aarch64.so.1"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "9376910c472a1ddd",
"location": {
"path": "/lib/libm.so.6",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6", "ld-linux-aarch64.so.1"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "383904be0603bd22",
"location": {
"path": "/lib/libnss_compat.so.2",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6", "ld-linux-aarch64.so.1"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "324828ff45e1fc0b",
"location": {
"path": "/lib/libnss_dns.so.2",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "9a791682497737bd",
"location": {
"path": "/lib/libnss_files.so.2",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "c6f668db34996e30",
"location": {
"path": "/lib/libnss_hesiod.so.2",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libresolv.so.2", "libc.so.6", "ld-linux-aarch64.so.1"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "d5aa00430d994aa8",
"location": {
"path": "/lib/libpthread.so.0",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "5804ce9e713c7582",
"location": {
"path": "/lib/libresolv.so.2",
"layerID": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6", "ld-linux-aarch64.so.1"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
}
],
"source": {
"id": "396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b",
"name": "busybox",
"version": "sha256:396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b",
"type": "image",
"metadata": {
"userInput": "busybox:latest",
"imageID": "sha256:eade5be814e817df411f138aa7711c3f81595185eb54b3257fd19f6c4966b285",
"manifestDigest": "sha256:396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"tags": [],
"imageSize": 4170774,
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05",
"size": 4170774
}
],
"manifest": "ewoJInNjaGVtYVZlcnNpb24iOiAyLAoJIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLm1hbmlmZXN0LnYxK2pzb24iLAoJImNvbmZpZyI6IHsKCQkibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UuY29uZmlnLnYxK2pzb24iLAoJCSJkaWdlc3QiOiAic2hhMjU2OmVhZGU1YmU4MTRlODE3ZGY0MTFmMTM4YWE3NzExYzNmODE1OTUxODVlYjU0YjMyNTdmZDE5ZjZjNDk2NmIyODUiLAoJCSJzaXplIjogNDc3Cgl9LAoJImxheWVycyI6IFsKCQl7CgkJCSJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCgkJCSJkaWdlc3QiOiAic2hhMjU2OjViYzUxYjg3ZDRlY2NlMDYyOWM0ODg2NzRlMjU4MGEzZDU4ZDI5MzdkNzBjODFkNGY2ZDQ4NWQ0M2UwNmViMDYiLAoJCQkic2l6ZSI6IDE5MDI5OTEKCQl9CgldLAoJImFubm90YXRpb25zIjogewoJCSJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudXJsIjogImh0dHBzOi8vZ2l0aHViLmNvbS9kb2NrZXItbGlicmFyeS9idXN5Ym94IiwKCQkib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlcnNpb24iOiAiMS4zNy4wLWdsaWJjIgoJfQp9Cg==",
"config": "ewoJImNvbmZpZyI6IHsKCQkiQ21kIjogWwoJCQkic2giCgkJXSwKCQkiRW52IjogWwoJCQkiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iCgkJXQoJfSwKCSJjcmVhdGVkIjogIjIwMjQtMDktMjZUMjE6MzE6NDJaIiwKCSJoaXN0b3J5IjogWwoJCXsKCQkJImNyZWF0ZWQiOiAiMjAyNC0wOS0yNlQyMTozMTo0MloiLAoJCQkiY3JlYXRlZF9ieSI6ICJCdXN5Qm94IDEuMzcuMCAoZ2xpYmMpLCBEZWJpYW4gMTMiCgkJfQoJXSwKCSJyb290ZnMiOiB7CgkJInR5cGUiOiAibGF5ZXJzIiwKCQkiZGlmZl9pZHMiOiBbCgkJCSJzaGEyNTY6MWEzODI3NDBjNTY0MmU0NjA3NDEyYTM0MWRmMzcxNmMyMjI4N2ZmYTZhZGY5MmVhZmY1NGUwNzlhMTkwMmYwNSIKCQldCgl9LAoJImFyY2hpdGVjdHVyZSI6ICJhcm02NCIsCgkib3MiOiAibGludXgiLAoJInZhcmlhbnQiOiAidjgiCn0K",
"repoDigests": [
"index.docker.io/library/busybox@sha256:e3652a00a2fabd16ce889f0aa32c38eec347b997e73bd09e69c962ec7f8732ee"
],
"architecture": "arm64",
"os": "linux"
}
},
"distro": {
"prettyName": "BusyBox v1.37.0",
"name": "busybox",
"id": "busybox",
"idLike": ["busybox"],
"version": "1.37.0",
"versionID": "1.37.0"
},
"descriptor": {
"name": "syft",
"version": "1.38.0",
"configuration": {
"catalogers": {
"requested": {
"default": ["image", "file"]
},
"used": [
"alpm-db-cataloger",
"apk-db-cataloger",
"binary-classifier-cataloger",
"bitnami-cataloger",
"cargo-auditable-binary-cataloger",
"conan-info-cataloger",
"dotnet-deps-binary-cataloger",
"dotnet-packages-lock-cataloger",
"dpkg-db-cataloger",
"elf-binary-package-cataloger",
"file-content-cataloger",
"file-digest-cataloger",
"file-executable-cataloger",
"file-metadata-cataloger",
"gguf-cataloger",
"go-module-binary-cataloger",
"graalvm-native-image-cataloger",
"homebrew-cataloger",
"java-archive-cataloger",
"java-jvm-cataloger",
"javascript-package-cataloger",
"linux-kernel-cataloger",
"lua-rock-cataloger",
"nix-cataloger",
"pe-binary-package-cataloger",
"php-composer-installed-cataloger",
"php-interpreter-cataloger",
"php-pear-serialized-cataloger",
"portage-cataloger",
"python-installed-package-cataloger",
"r-package-cataloger",
"rpm-db-cataloger",
"ruby-installed-gemspec-cataloger",
"snap-cataloger",
"wordpress-plugins-cataloger"
]
},
"data-generation": {
"generate-cpes": true
},
"files": {
"content": {
"globs": null,
"skip-files-above-size": 0
},
"hashers": ["sha-1", "sha-256"],
"selection": "owned-by-package"
},
"licenses": {
"coverage": 75,
"include-content": "none"
},
"packages": {
"binary": [
"python-binary",
"python-binary-lib",
"pypy-binary-lib",
"go-binary",
"julia-binary",
"helm",
"redis-binary",
"nodejs-binary",
"go-binary-hint",
"busybox-binary",
"util-linux-binary",
"haproxy-binary",
"perl-binary",
"php-composer-binary",
"httpd-binary",
"memcached-binary",
"traefik-binary",
"arangodb-binary",
"postgresql-binary",
"mysql-binary",
"mysql-binary",
"mysql-binary",
"xtrabackup-binary",
"mariadb-binary",
"rust-standard-library-linux",
"rust-standard-library-macos",
"ruby-binary",
"erlang-binary",
"erlang-alpine-binary",
"erlang-library",
"swipl-binary",
"dart-binary",
"haskell-ghc-binary",
"haskell-cabal-binary",
"haskell-stack-binary",
"consul-binary",
"hashicorp-vault-binary",
"nginx-binary",
"bash-binary",
"openssl-binary",
"gcc-binary",
"fluent-bit-binary",
"wordpress-cli-binary",
"curl-binary",
"lighttpd-binary",
"proftpd-binary",
"zstd-binary",
"xz-binary",
"gzip-binary",
"sqlcipher-binary",
"jq-binary",
"chrome-binary",
"ffmpeg-binary",
"ffmpeg-library",
"ffmpeg-library",
"elixir-binary",
"elixir-library",
"java-binary",
"java-jdb-binary"
],
"dotnet": {
"dep-packages-must-claim-dll": true,
"dep-packages-must-have-dll": false,
"propagate-dll-claims-to-parents": true,
"relax-dll-claims-when-bundling-detected": true
},
"golang": {
"local-mod-cache-dir": "/root/go/pkg/mod",
"local-vendor-dir": "",
"main-module-version": {
"from-build-settings": true,
"from-contents": false,
"from-ld-flags": true
},
"proxies": ["https://proxy.golang.org", "direct"],
"search-local-mod-cache-licenses": false,
"search-local-vendor-licenses": false,
"search-remote-licenses": false
},
"java-archive": {
"include-indexed-archives": true,
"include-unindexed-archives": false,
"maven-base-url": "https://repo1.maven.org/maven2",
"maven-localrepository-dir": "/root/.m2/repository",
"max-parent-recursive-depth": 0,
"resolve-transitive-dependencies": false,
"use-maven-localrepository": false,
"use-network": false
},
"javascript": {
"include-dev-dependencies": false,
"npm-base-url": "https://registry.npmjs.org",
"search-remote-licenses": false
},
"linux-kernel": {
"catalog-modules": true
},
"nix": {
"capture-owned-files": false
},
"python": {
"guess-unpinned-requirements": false,
"pypi-base-url": "https://pypi.org/pypi",
"search-remote-licenses": false
}
},
"relationships": {
"exclude-binary-packages-with-file-ownership-overlap": true,
"package-file-ownership": true,
"package-file-ownership-overlap": true
},
"search": {
"scope": "squashed"
}
}
},
"schema": {
"version": "16.1.0",
"url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.1.0.json"
}
}
pkg:generic/busybox@1.37.0
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:8831f243-6dcd-4bdd-a2b0-562480154c9b",
"version": 1,
"metadata": {
"timestamp": "2025-11-21T20:47:28Z",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.38.0"
}
]
},
"component": {
"bom-ref": "e98d5f0296649c51",
"type": "container",
"name": "busybox",
"version": "sha256:396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b"
}
},
"components": [
{
"bom-ref": "pkg:generic/busybox@1.37.0?package-id=fe44cee3fe279dfa",
"type": "application",
"name": "busybox",
"version": "1.37.0",
"cpe": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*",
"purl": "pkg:generic/busybox@1.37.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "binary-classifier-cataloger"
},
{
"name": "syft:package:type",
"value": "binary"
},
{
"name": "syft:package:metadataType",
"value": "binary-signature"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"name": "syft:location:0:path",
"value": "/bin/["
}
]
},
{
"bom-ref": "os:busybox@1.37.0",
"type": "operating-system",
"name": "busybox",
"version": "1.37.0",
"description": "BusyBox v1.37.0",
"swid": {
"tagId": "busybox",
"name": "busybox",
"version": "1.37.0"
},
"properties": [
{
"name": "syft:distro:extendedSupport",
"value": "false"
},
{
"name": "syft:distro:id",
"value": "busybox"
},
{
"name": "syft:distro:idLike:0",
"value": "busybox"
},
{
"name": "syft:distro:prettyName",
"value": "BusyBox v1.37.0"
},
{
"name": "syft:distro:versionID",
"value": "1.37.0"
}
]
},
{
"bom-ref": "3a6b3df220691408",
"type": "file",
"name": "/bin/[",
"hashes": [
{
"alg": "SHA-1",
"content": "5231d5d79cb52f3581f9c137396e7d9df7aa6d6b"
},
{
"alg": "SHA-256",
"content": "f19470457088612bc3285404783d9f93533d917e869050aca13a4139b937c0a5"
}
]
}
]
}
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:33ad49e5-992c-4f1e-be05-68f4095b764f" version="1">
<metadata>
<timestamp>2025-11-21T20:47:29Z</timestamp>
<tools>
<components>
<component type="application">
<author>anchore</author>
<name>syft</name>
<version>1.38.0</version>
</component>
</components>
</tools>
<component bom-ref="e98d5f0296649c51" type="container">
<name>busybox</name>
<version>sha256:396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b</version>
</component>
</metadata>
<components>
<component bom-ref="pkg:generic/busybox@1.37.0?package-id=fe44cee3fe279dfa" type="application">
<name>busybox</name>
<version>1.37.0</version>
<cpe>cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*</cpe>
<purl>pkg:generic/busybox@1.37.0</purl>
<properties>
<property name="syft:package:foundBy">binary-classifier-cataloger</property>
<property name="syft:package:type">binary</property>
<property name="syft:package:metadataType">binary-signature</property>
<property name="syft:location:0:layerID">sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05</property>
<property name="syft:location:0:path">/bin/[</property>
</properties>
</component>
<component bom-ref="os:busybox@1.37.0" type="operating-system">
<name>busybox</name>
<version>1.37.0</version>
<description>BusyBox v1.37.0</description>
<swid tagId="busybox" name="busybox" version="1.37.0"></swid>
<properties>
<property name="syft:distro:extendedSupport">false</property>
<property name="syft:distro:id">busybox</property>
<property name="syft:distro:idLike:0">busybox</property>
<property name="syft:distro:prettyName">BusyBox v1.37.0</property>
<property name="syft:distro:versionID">1.37.0</property>
</properties>
</component>
<component bom-ref="3a6b3df220691408" type="file">
<name>/bin/[</name>
<hashes>
<hash alg="SHA-1">5231d5d79cb52f3581f9c137396e7d9df7aa6d6b</hash>
<hash alg="SHA-256">f19470457088612bc3285404783d9f93533d917e869050aca13a4139b937c0a5</hash>
</hashes>
</component>
</components>
</bom>
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "busybox",
"documentNamespace": "https://anchore.com/syft/image/busybox-9730898a-4b77-4396-b39c-e08a872ec19f",
"creationInfo": {
"licenseListVersion": "3.27",
"creators": ["Organization: Anchore, Inc", "Tool: syft-1.38.0"],
"created": "2025-11-21T20:47:30Z"
},
"packages": [
{
"name": "busybox",
"SPDXID": "SPDXRef-Package-binary-busybox-fe44cee3fe279dfa",
"versionInfo": "1.37.0",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from the following paths: /bin/[",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:generic/busybox@1.37.0"
}
]
},
{
"name": "busybox",
"SPDXID": "SPDXRef-DocumentRoot-Image-busybox",
"versionInfo": "sha256:396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/busybox@sha256%3A396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b?arch=arm64&tag=latest"
}
],
"primaryPackagePurpose": "CONTAINER"
}
],
"files": [
{
"fileName": "bin/[",
"SPDXID": "SPDXRef-File-bin---3a6b3df220691408",
"fileTypes": ["APPLICATION", "BINARY"],
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "5231d5d79cb52f3581f9c137396e7d9df7aa6d6b"
},
{
"algorithm": "SHA256",
"checksumValue": "f19470457088612bc3285404783d9f93533d917e869050aca13a4139b937c0a5"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "bin/getconf",
"SPDXID": "SPDXRef-File-bin-getconf-eab1ede6d517d844",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/ld-linux-aarch64.so.1",
"SPDXID": "SPDXRef-File-lib-ld-linux-aarch64.so.1-9c61e609f3b76f4a",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libc.so.6",
"SPDXID": "SPDXRef-File-lib-libc.so.6-456b7910a9499337",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libm.so.6",
"SPDXID": "SPDXRef-File-lib-libm.so.6-9376910c472a1ddd",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libnss_compat.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-compat.so.2-383904be0603bd22",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libnss_dns.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-dns.so.2-324828ff45e1fc0b",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libnss_files.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-files.so.2-9a791682497737bd",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libnss_hesiod.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-hesiod.so.2-c6f668db34996e30",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libpthread.so.0",
"SPDXID": "SPDXRef-File-lib-libpthread.so.0-d5aa00430d994aa8",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
{
"fileName": "lib/libresolv.so.2",
"SPDXID": "SPDXRef-File-lib-libresolv.so.2-5804ce9e713c7582",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-Package-binary-busybox-fe44cee3fe279dfa",
"relatedSpdxElement": "SPDXRef-File-bin---3a6b3df220691408",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Image-busybox",
"relatedSpdxElement": "SPDXRef-Package-binary-busybox-fe44cee3fe279dfa",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-Image-busybox",
"relationshipType": "DESCRIBES"
}
]
}
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: busybox
DocumentNamespace: https://anchore.com/syft/image/busybox-04c37b1f-d42c-4c7b-847b-747d25fb694c
LicenseListVersion: 3.27
Creator: Organization: Anchore, Inc
Creator: Tool: syft-1.38.0
Created: 2025-11-21T20:47:30Z
##### Unpackaged files
FileName: bin/[
SPDXID: SPDXRef-File-bin---3a6b3df220691408
FileType: APPLICATION
FileType: BINARY
FileChecksum: SHA1: 5231d5d79cb52f3581f9c137396e7d9df7aa6d6b
FileChecksum: SHA256: f19470457088612bc3285404783d9f93533d917e869050aca13a4139b937c0a5
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: bin/getconf
SPDXID: SPDXRef-File-bin-getconf-eab1ede6d517d844
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/ld-linux-aarch64.so.1
SPDXID: SPDXRef-File-lib-ld-linux-aarch64.so.1-9c61e609f3b76f4a
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libc.so.6
SPDXID: SPDXRef-File-lib-libc.so.6-456b7910a9499337
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libm.so.6
SPDXID: SPDXRef-File-lib-libm.so.6-9376910c472a1ddd
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libnss_compat.so.2
SPDXID: SPDXRef-File-lib-libnss-compat.so.2-383904be0603bd22
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libnss_dns.so.2
SPDXID: SPDXRef-File-lib-libnss-dns.so.2-324828ff45e1fc0b
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libnss_files.so.2
SPDXID: SPDXRef-File-lib-libnss-files.so.2-9a791682497737bd
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libnss_hesiod.so.2
SPDXID: SPDXRef-File-lib-libnss-hesiod.so.2-c6f668db34996e30
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libpthread.so.0
SPDXID: SPDXRef-File-lib-libpthread.so.0-d5aa00430d994aa8
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
FileName: lib/libresolv.so.2
SPDXID: SPDXRef-File-lib-libresolv.so.2-5804ce9e713c7582
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-DocumentRoot-Image-busybox
PackageVersion: sha256:396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
PrimaryPackagePurpose: CONTAINER
FilesAnalyzed: false
PackageChecksum: SHA256: 396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:oci/busybox@sha256%3A396fa78f221c72de93053a00e33e3d69b5bdfa80131777e6ea518eb9a1af3f3b?arch=arm64&tag=latest
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-Package-binary-busybox-fe44cee3fe279dfa
PackageVersion: 1.37.0
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from the following paths: /bin/[
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:generic/busybox@1.37.0
##### Relationships
Relationship: SPDXRef-Package-binary-busybox-fe44cee3fe279dfa OTHER SPDXRef-File-bin---3a6b3df220691408
RelationshipComment: evident-by: indicates the package's existence is evident by the given file
Relationship: SPDXRef-DocumentRoot-Image-busybox CONTAINS SPDXRef-Package-binary-busybox-fe44cee3fe279dfa
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Image-busybox
{
"version": 0,
"job": {},
"detector": {
"name": "syft",
"url": "https://github.com/anchore/syft",
"version": "1.38.0"
},
"metadata": {
"syft:distro": "pkg:generic/busybox@1.37.0?like=busybox"
},
"manifests": {
"busybox:latest:/bin/busybox": {
"name": "busybox:latest:/bin/busybox",
"file": {
"source_location": "busybox:latest:/bin/busybox"
},
"metadata": {
"syft:filesystem": "sha256:1a382740c5642e4607412a341df3716c22287ffa6adf92eaff54e079a1902f05"
},
"resolved": {
"pkg:generic/busybox@1.37.0": {
"package_url": "pkg:generic/busybox@1.37.0",
"relationship": "direct",
"scope": "runtime"
}
}
}
},
"scanned": "2025-11-21T20:47:31Z"
}
Direct Syft output to a file instead of stdout by appending =<file> to the format option:
# Write JSON to a file
syft <source> -o json=sbom.json
# Write to stdout (default behavior)
syft <source> -o json
Generate multiple SBOM formats in a single run by specifying multiple -o flags:
syft <source> \
-o json=sbom.json \
-o spdx-json=sbom.spdx.json
You can both display to terminal and write to file:
syft <source> \
-o table \ # report to stdout
-o json=sbom.json # write to file
Which format should I use?
table (default) for quick package listsjson to access all Syft data including file details, relationships, and metadataspdx-json or cyclonedx-json - both are widely supported industry standardstemplate to create your own output formatCan I convert between formats?
Yes! See the Format Conversion guide to convert existing SBOMs between formats without re-scanning.
Do all formats contain the same information?
No. Syft’s native json format contains the most complete information. Standard formats (SPDX, CycloneDX) contain package data but may not include all file details or Syft-specific metadata. Some data may be omitted or transformed to fit the target schema.
Which version should I use for SPDX or CycloneDX?
Use the latest version (default) unless you need compatibility with specific tools that require older versions. Check your downstream tools’ documentation for version requirements.
Additional resources:
Syft’s native JSON format provides the most comprehensive view of discovered software components, capturing all package metadata, file details, relationships, and source information.
Since Syft can convert from its native JSON format to standard SBOM formats, capturing your SBOM in Syft JSON format lets you generate any SBOM format as needed for compliance requirements.
A Syft JSON output contains these main sections:
{
"artifacts": [], // Package nodes discovered
"artifactRelationships": [], // Edges between packages and files
"files": [], // File nodes discovered
"source": {}, // What was scanned (the image, directory, etc.)
"distro": {}, // Linux distribution discovered
"descriptor": {}, // Syft version and configuration that captured this SBOM
"schema": {} // Schema version
}
A software package discovered by Syft (library, application, OS package, etc.).
{
"id": "74d9294c42941b37", // Unique identifier for this package that is content addressable
"name": "openssl",
"version": "1.1.1k",
"type": "apk", // Package ecosystem (apk, deb, npm, etc.)
"foundBy": "apk-cataloger",
"locations": [
// Paths used to populate information on this package object
{
"path": "/lib/apk/db/installed", // Always the real-path
"layerID": "sha256:...",
"accessPath": "/lib/apk/db/installed", // How Syft accessed the file (may be a symlink)
"annotations": {
"evidence": "primary" // Qualifies the kind of evidence extracted from this location (primary, supporting)
}
}
],
"licenses": [
{
"value": "Apache-2.0", // Raw value discovered
"spdxExpression": "Apache-2.0", // Normalized SPDX expression of the discovered value
"type": "declared", // "declared", "concluded", or "observed"
"urls": ["https://..."],
"locations": [] // Where license was found
}
],
"language": "c",
"cpes": [
{
"cpe": "cpe:2.3:a:openssl:openssl:1.1.1k:*:*:*:*:*:*:*",
"source": "nvd-dictionary" // Where the CPE was derived from (nvd-dictionary or syft-generated)
}
],
"purl": "pkg:apk/alpine/openssl@1.1.1k",
"metadata": {} // Ecosystem-specific fields (varies by type)
}
A file found on disk or referenced in package manager metadata.
{
"id": "def456",
"location": {
"path": "/usr/bin/example",
"layerID": "sha256:..." // For container images
},
"metadata": {
"mode": 493, // File permissions in octal
"type": "RegularFile",
"mimeType": "application/x-executable",
"size": 12345 // Size in bytes
},
"digests": [
{
"algorithm": "sha256",
"value": "abc123..."
}
],
"licenses": [
{
"value": "Apache-2.0", // Raw value discovered
"spdxExpression": "Apache-2.0", // Normalized SPDX expression of the discovered value
"type": "declared", // "declared", "concluded", or "observed"
"evidence": {
"confidence": 100,
"offset": 1234, // Byte offset in file
"extent": 567 // Length of match
}
}
],
"executable": {
"format": "elf", // "elf", "pe", or "macho"
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": [
// Shared library dependencies
"libc.so.6",
"libssl.so.1.1"
],
"elfSecurityFeatures": {
// ELF binaries only
"symbolTableStripped": false,
"stackCanary": true, // Stack protection
"nx": true, // No-Execute bit
"relRO": "full", // Relocation Read-Only
"pie": true // Position Independent Executable
}
}
}
Connects any two nodes (package, file, or source) with a typed relationship.
{
"parent": "package-id", // Package, file, or source ID
"child": "file-id",
"type": "contains" // contains, dependency-of, etc.
}
Information about what was scanned (container image, directory, file, etc.).
{
"id": "sha256:...",
"name": "alpine:3.9.2", // User input
"version": "sha256:...",
"type": "image", // image, directory, file
"metadata": {
"imageID": "sha256:...",
"manifestDigest": "sha256:...",
"mediaType": "application/vnd.docker...",
"tags": ["alpine:3.9.2"],
"repoDigests": []
}
}
Linux distribution details from /etc/os-release or similar sources.
{
"name": "alpine",
"version": "3.9.2",
"idLike": ["alpine"] // Related distributions
}
Describes where a package or file was found.
{
"path": "/lib/apk/db/installed",
"layerID": "sha256:...",
"accessPath": "/var/lib/apk/installed",
"annotations": {
"evidence": "primary"
}
}
The path field always contains the real path after resolving symlinks, while accessPath shows how Syft accessed the file (which may be through a symlink).
The evidence annotation indicates whether this location was used to discover the package (primary) or contains only auxiliary information (supporting).
Syft version and configuration used to generate this SBOM.
{
"name": "syft",
"version": "1.0.0",
"configuration": {} // Syft configuration used
}
The Syft JSON schema is versioned and available in the Syft repository:
jq is a command-line tool for querying and manipulating JSON. The following examples demonstrate practical queries for working with Syft JSON output.
Uses regex pattern matching to find security-critical packages
.artifacts[] |
select(.name | test("^(openssl|ssl|crypto)")) | # Regex pattern match on package name
{
name,
version,
type # Package type (apk, deb, rpm, etc.)
}
syft alpine:3.9.2 -o json | \
jq '.artifacts[] |
select(.name | test("^(openssl|ssl|crypto)")) |
{
name,
version,
type
}'
{
"name": "ssl_client",
"version": "1.29.3-r10",
"type": "apk"
}
Shows Java packages with their primary installation paths
.artifacts[] |
select(.type == "java-archive") | # Filter for JAR packages
{
package: "\(.name)@\(.version)",
path: (.locations[] | select(.annotations.evidence == "primary") | .path) # Primary installation path
}
syft openjdk:11.0.11-jre-slim -o json | \
jq '.artifacts[] |
select(.type == "java-archive") |
{
package: "\(.name)@\(.version)",
path: (.locations[] | select(.annotations.evidence == "primary") | .path)
}'
{
"package": "jrt-fs@11.0.11",
"path": "/usr/local/openjdk-11/lib/jrt-fs.jar"
}
Lists all binary files with their format and entry point status
.files[] |
select(.executable != null) | # Filter for executable files
{
path: .location.path,
format: .executable.format, # ELF, Mach-O, PE, etc.
importedLibraries: .executable.importedLibraries # Shared library dependencies
}
syft alpine:3.9.2 -o json | \
jq '.files[] |
select(.executable != null) |
{
path: .location.path,
format: .executable.format,
importedLibraries: .executable.importedLibraries
}'
{
"path": "/bin/busybox",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/lib/ld-musl-aarch64.so.1",
"format": "elf",
"importedLibraries": []
}
{
"path": "/lib/libcrypto.so.1.1",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/lib/libssl.so.1.1",
"format": "elf",
"importedLibraries": [
"libcrypto.so.1.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/lib/libz.so.1.2.11",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/sbin/apk",
"format": "elf",
"importedLibraries": [
"libssl.so.1.1",
"libcrypto.so.1.1",
"libz.so.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/sbin/mkmntdirs",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/bin/getconf",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/bin/getent",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/bin/iconv",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/bin/scanelf",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/bin/ssl_client",
"format": "elf",
"importedLibraries": [
"libtls-standalone.so.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/lib/engines-1.1/afalg.so",
"format": "elf",
"importedLibraries": [
"libcrypto.so.1.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/lib/engines-1.1/capi.so",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/lib/engines-1.1/padlock.so",
"format": "elf",
"importedLibraries": [
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/lib/libtls-standalone.so.1.0.0",
"format": "elf",
"importedLibraries": [
"libssl.so.1.1",
"libcrypto.so.1.1",
"libc.musl-aarch64.so.1"
]
}
Uses set operations on relationships to identify untracked binaries that might indicate supply chain issues
. as $root |
[.files[] | select(.executable != null) | .id] as $binaries | # All binary IDs
[.artifactRelationships[] | select(.type == "contains") | .child] as $owned | # Package-owned files
($binaries - $owned) as $unowned | # Set subtraction to find unowned binaries
$root.files[] |
select(.id as $id | $unowned | index($id)) | # Filter to unowned binaries
{
path: .location.path,
sha256: .digests[] | select(.algorithm == "sha256") | .value # For integrity verification
}
syft httpd:2.4.65 -o json | \
jq '. as $root |
[.files[] | select(.executable != null) | .id] as $binaries |
[.artifactRelationships[] | select(.type == "contains") | .child] as $owned |
($binaries - $owned) as $unowned |
$root.files[] |
select(.id as $id | $unowned | index($id)) |
{
path: .location.path,
sha256: .digests[] | select(.algorithm == "sha256") | .value
}'
# .syft.yaml
file:
metadata:
selection: all
{
"path": "/usr/local/apache2/bin/ab",
"sha256": "1aa76de1f9eb534fe22d35a01ccbf7ede03e250f6f5d0a00553e687187565d3a"
}
{
"path": "/usr/local/apache2/bin/checkgid",
"sha256": "af3372d60eee3f8132d2bdd10fb8670db8a9965b2e056c267131586184ba11fb"
}
{
"path": "/usr/local/apache2/bin/fcgistarter",
"sha256": "eea2fa75671e7e647692cd0352405ef8a0b17167a05770b9552602a3c720bfdb"
}
{
"path": "/usr/local/apache2/bin/htcacheclean",
"sha256": "94e0fd5f0f5cf6231080177072846a4e99846f1f534224911e3bed17ce27ec38"
}
{
"path": "/usr/local/apache2/bin/htdbm",
"sha256": "e2a41d96c92cb16c98972a043ac380c06f19b5bddbafe0b2d2082ed174f8cfe3"
}
{
"path": "/usr/local/apache2/bin/htdigest",
"sha256": "0881598a4fd15455297c186fa301fdb1656ff26d0f77626d54a15421095e047f"
}
{
"path": "/usr/local/apache2/bin/htpasswd",
"sha256": "871ef0aa4ae0914747a471bf3917405548abf768dd6c94e3e0177c8e87334d9e"
}
{
"path": "/usr/local/apache2/bin/httpd",
"sha256": "2f3b52523394d1f4d4e2c5e1c5565161dcf8a0fc8e957e8d2d741acd3a111563"
}
{
"path": "/usr/local/apache2/bin/httxt2dbm",
"sha256": "1d5eb8e5d910760aa859c45e79b541362a84499f08fb79b8773bf9b8faf7bbdb"
}
{
"path": "/usr/local/apache2/bin/logresolve",
"sha256": "de8ed1fa5184170fca09980025f40c55d9fbf14b47c73b2575bc90ac1c9bf20e"
}
{
"path": "/usr/local/apache2/bin/rotatelogs",
"sha256": "f5ed895712cddcec7f542dee08a1ff74fd00ae3a9b0d92ede429e04ec2b9b8ae"
}
{
"path": "/usr/local/apache2/bin/suexec",
"sha256": "264efc529c09a60fed57fcde9e7a2c36f8bb414ae0e1afc9bb85595113ab4ec2"
}
{
"path": "/usr/local/apache2/modules/mod_access_compat.so",
"sha256": "0d6322b7d7d3d6c459751f8b271f733fa05a8b56eecd75f608100a5dbf464fc2"
}
{
"path": "/usr/local/apache2/modules/mod_actions.so",
"sha256": "6dc5dea7137ec0ae139c545b26efd860c6de7bcc19d2e31db213399c86bf2ead"
}
{
"path": "/usr/local/apache2/modules/mod_alias.so",
"sha256": "bb422c4486600ec349ac9b89acaa3793265d69498c30370e678a362900daea04"
}
{
"path": "/usr/local/apache2/modules/mod_allowmethods.so",
"sha256": "99a9db80c8f18fe3defb315731af3bceef321a98bd52f518f068ca2632596cee"
}
{
"path": "/usr/local/apache2/modules/mod_asis.so",
"sha256": "039014ad5ad3f357e811b570bd9977a772e74f191856981a503e57263b88cc44"
}
{
"path": "/usr/local/apache2/modules/mod_auth_basic.so",
"sha256": "1f9534187df98194fa60259c3d9feca05f1b2564d49b37b49da040232e7a327b"
}
{
"path": "/usr/local/apache2/modules/mod_auth_digest.so",
"sha256": "ad77d0457b773c9d13097adf47bebcd95297466fc9fb6886b7bff85e2acdd99d"
}
{
"path": "/usr/local/apache2/modules/mod_auth_form.so",
"sha256": "ceb56183d83c22ff08853982b0f35f122185cf69d3bcfd948eeb1df32dd12bbb"
}
{
"path": "/usr/local/apache2/modules/mod_authn_anon.so",
"sha256": "44308e1d5a65ab64232d27f24a827aa1afdb2fef580dd1a8454788431ebd639f"
}
{
"path": "/usr/local/apache2/modules/mod_authn_core.so",
"sha256": "9cbf85b1a20da26483ca4a57186161a2876ca296dd1174ed5a5af9f5301fe5e8"
}
{
"path": "/usr/local/apache2/modules/mod_authn_dbd.so",
"sha256": "08dc7b848a67131a091563046e3fc6914e86f248740bd2f23905f2f6df3ce541"
}
{
"path": "/usr/local/apache2/modules/mod_authn_dbm.so",
"sha256": "1e5900c8b41ca227b59ba54738154e04841cef2045d8040747e4b7887526a763"
}
{
"path": "/usr/local/apache2/modules/mod_authn_file.so",
"sha256": "74f83d5717276ae6a37f4a2d0c54f8d23e57ae1c3f73bb2b332c77860b7421ed"
}
{
"path": "/usr/local/apache2/modules/mod_authn_socache.so",
"sha256": "2f51212b62c5bbda54ddec0c1a07f523e96c2b56d987fefa43e0cc42dbf6f5d0"
}
{
"path": "/usr/local/apache2/modules/mod_authnz_fcgi.so",
"sha256": "4fa0fa7d3d4b742b3f73a781d2e8d4625d477c76aa0698aa0d499f87e6985554"
}
{
"path": "/usr/local/apache2/modules/mod_authnz_ldap.so",
"sha256": "dccffc453f46d201ecb1003b372a6ca417ac40a33036500a2215697b2e5ac0af"
}
{
"path": "/usr/local/apache2/modules/mod_authz_core.so",
"sha256": "e2b825ec9e2992b1cc157aef12c4ecd75960604658c3b7aa4a370088e89455b5"
}
{
"path": "/usr/local/apache2/modules/mod_authz_dbd.so",
"sha256": "61b427078b5d11b3fd8693cbfa22cb5871dc9784b08d3182b73ad3e99b8579d9"
}
{
"path": "/usr/local/apache2/modules/mod_authz_dbm.so",
"sha256": "1d99ed703743d9dd2185a0d7e9e351fa38066b3234ae997e87efa6dc1e4513eb"
}
{
"path": "/usr/local/apache2/modules/mod_authz_groupfile.so",
"sha256": "3e9adb775d41a8b01802ff610dda01f8e62a0d282ea0522d297a252207453c4d"
}
{
"path": "/usr/local/apache2/modules/mod_authz_host.so",
"sha256": "c0fcd53dc9596fd6bc280c55d14b61c72dc12470bf5c1bc86e369217af05cb2c"
}
{
"path": "/usr/local/apache2/modules/mod_authz_owner.so",
"sha256": "e8923ef5f11e03c37b4579e18d396758ee085bae4dadc0519374ca63da86c932"
}
{
"path": "/usr/local/apache2/modules/mod_authz_user.so",
"sha256": "3c5674a1e7af6b7d09e8c66f973a3138fed0dde4dfaee98fc132c89730cd9156"
}
{
"path": "/usr/local/apache2/modules/mod_autoindex.so",
"sha256": "2d992f31f40be2c0ec34a29981191c3bfb9e4448a2099f11a4876ba4d394dc2f"
}
{
"path": "/usr/local/apache2/modules/mod_brotli.so",
"sha256": "73bfe5aeff2040a7b56a0bf822bc4069ce3e9954186f81322060697f5cf0546f"
}
{
"path": "/usr/local/apache2/modules/mod_bucketeer.so",
"sha256": "9f146159e928405d2a007dba3690566a45e5793cde87871a30dbfd1dc9114db1"
}
{
"path": "/usr/local/apache2/modules/mod_buffer.so",
"sha256": "710bd1b238a7814963b2857eb92c891bafeff61d9e40f807d68ded700c8c37f2"
}
{
"path": "/usr/local/apache2/modules/mod_cache.so",
"sha256": "976222e2c7ddb317d8804383801b310be33c6b3542f6972edd12c38ddc527e38"
}
{
"path": "/usr/local/apache2/modules/mod_cache_disk.so",
"sha256": "c5359004a563b9b01bf0416cbe856bb50de642bf06649383ffcae26490dc69c8"
}
{
"path": "/usr/local/apache2/modules/mod_cache_socache.so",
"sha256": "94abdf3779a9f7d258b1720021e1e3f10c630e625f5aa13c683c3c811b8dac10"
}
{
"path": "/usr/local/apache2/modules/mod_case_filter.so",
"sha256": "79a0a336c1bacd06c0fc5ca14cfc97223c92f0f5b0c88ec95f7e163e8cdf917d"
}
{
"path": "/usr/local/apache2/modules/mod_case_filter_in.so",
"sha256": "aa5e1c9452e1be3789a8a867a98dab700e4a579c0ea1ff7180adf4e41b8495e3"
}
{
"path": "/usr/local/apache2/modules/mod_cern_meta.so",
"sha256": "1a6da74d768c01b1a96f5c0f0e74686d5b0f51c3d7f1149fa1124cdf10ba842a"
}
{
"path": "/usr/local/apache2/modules/mod_cgi.so",
"sha256": "f2716c663f4f7db8cd78f456e5bd098a62c1b8fde86253ed4617edfe9cdb93b2"
}
{
"path": "/usr/local/apache2/modules/mod_cgid.so",
"sha256": "d5a19aeeb7b9063bac25e4a172ea7578e83bb32da4fe21ecd858409115de166c"
}
{
"path": "/usr/local/apache2/modules/mod_charset_lite.so",
"sha256": "9c4a1b27532c5f47eea7cfc61f65a7cf2f132286e556175ec28e313024641c9d"
}
{
"path": "/usr/local/apache2/modules/mod_data.so",
"sha256": "4dcae9a704c7d9861497e57b15423b9ce3fc7dda6544096ecfff64e4223f3684"
}
{
"path": "/usr/local/apache2/modules/mod_dav.so",
"sha256": "1a33728b16ad05b12fbecf637168608cb10f258ef7a355bd37cef8ce2ed86fd7"
}
...
Useful for verifying binary integrity and detecting tampering
.files[] |
select(.executable != null) | # Filter for executable files
{
path: .location.path,
digests: [.digests[] | {algorithm, value}] # All available hash algorithms
}
syft alpine:3.9.2 -o json | \
jq '.files[] |
select(.executable != null) |
{
path: .location.path,
digests: [.digests[] | {algorithm, value}]
}'
{
"path": "/bin/busybox",
"digests": [
{
"algorithm": "sha1",
"value": "7423801dfb28659fcaaaa5e8d41051d470b19008"
},
{
"algorithm": "sha256",
"value": "2c1276c3c02ccec8a0e1737d3144cdf03db883f479c86fbd9c7ea4fd9b35eac5"
}
]
}
{
"path": "/lib/ld-musl-aarch64.so.1",
"digests": [
{
"algorithm": "sha1",
"value": "0b83c1eb91d633379e0c17349e7dae821fa36dbb"
},
{
"algorithm": "sha256",
"value": "0132814479f1acc1e264ef59f73fd91563235897e8dc1bd52765f974cde382ca"
}
]
}
{
"path": "/lib/libcrypto.so.1.1",
"digests": [
{
"algorithm": "sha1",
"value": "e9d1540e5bbd9e77b388ab0e6e2f52603eb032a4"
},
{
"algorithm": "sha256",
"value": "6c597c8ad195eeb7a9130ad832dfa4cbf140f42baf96304711b2dbd43ba8e617"
}
]
}
{
"path": "/lib/libssl.so.1.1",
"digests": [
{
"algorithm": "sha1",
"value": "a8d5036010b52a80402b900c626fe862ab06bd8b"
},
{
"algorithm": "sha256",
"value": "fb72f4615fb4574bd6eeabfdb86be47012618b9076d75aeb1510941c585cae64"
}
]
}
{
"path": "/lib/libz.so.1.2.11",
"digests": [
{
"algorithm": "sha1",
"value": "83378fc7a19ff908a7e92a9fd0ca39eee90d0a3c"
},
{
"algorithm": "sha256",
"value": "19e790eb36a09eba397b5af16852f3bea21a242026bbba3da7b16442b8ba305b"
}
]
}
{
"path": "/sbin/apk",
"digests": [
{
"algorithm": "sha1",
"value": "adac7738917adecff81d4a6f9f0c7971b173859a"
},
{
"algorithm": "sha256",
"value": "22d7d85bd24923f1f274ce765d16602191097829e22ac632748302817ce515d8"
}
]
}
{
"path": "/sbin/mkmntdirs",
"digests": [
{
"algorithm": "sha1",
"value": "fff9b110ad6c659a39681e7be3b2a036fbbcca7b"
},
{
"algorithm": "sha256",
"value": "a14a5a28525220224367616ef46d4713ef7bd00d22baa761e058e8bdd4c0af1b"
}
]
}
{
"path": "/usr/bin/getconf",
"digests": [
{
"algorithm": "sha1",
"value": "06ed40070e1c2ad6d4171095eff4a6bdf9c8489b"
},
{
"algorithm": "sha256",
"value": "82bcde66ead19bc3b9ff850f66c2dbf5eaff36d481f1ec154100f73f6265d2ef"
}
]
}
{
"path": "/usr/bin/getent",
"digests": [
{
"algorithm": "sha1",
"value": "c318a3a780fc27ed7dba57827a825191fa7ee8bd"
},
{
"algorithm": "sha256",
"value": "53ffb508150e91838d795831e8ecc71f2bc3a7db036c6d7f9512c3973418bb5e"
}
]
}
{
"path": "/usr/bin/iconv",
"digests": [
{
"algorithm": "sha1",
"value": "eb98f04742e41cfc3ed44109b0e059d13e5523ea"
},
{
"algorithm": "sha256",
"value": "1c99d1f4edcb8da6db1da60958051c413de45a4c15cd3b7f7285ed87f9a250ff"
}
]
}
{
"path": "/usr/bin/scanelf",
"digests": [
{
"algorithm": "sha1",
"value": "cb085d106f35862e44e17849026927bd05845bff"
},
{
"algorithm": "sha256",
"value": "908da485ad2edea35242f8989c7beb9536414782abc94357c72b7d840bb1fda2"
}
]
}
{
"path": "/usr/bin/ssl_client",
"digests": [
{
"algorithm": "sha1",
"value": "7e17cb64c3fce832e5fa52a3b2ed1e1ccd26acd0"
},
{
"algorithm": "sha256",
"value": "67ab7f3a1ba35630f439d1ca4f73c7d95f8b7aa0e6f6db6ea1743f136f074ab4"
}
]
}
{
"path": "/usr/lib/engines-1.1/afalg.so",
"digests": [
{
"algorithm": "sha1",
"value": "6bd2c385e3884109c581659a8b184592c86e7cee"
},
{
"algorithm": "sha256",
"value": "ea7c2f48bc741fd828d79a304dbf713e20e001c0187f3f534d959886af87f4af"
}
]
}
{
"path": "/usr/lib/engines-1.1/capi.so",
"digests": [
{
"algorithm": "sha1",
"value": "41bb990b6f8e2013487980fd430455cc3b59905f"
},
{
"algorithm": "sha256",
"value": "b461ed43f0f244007d872e84760a446023b69b178c970acf10ed2666198942c6"
}
]
}
{
"path": "/usr/lib/engines-1.1/padlock.so",
"digests": [
{
"algorithm": "sha1",
"value": "82d8308700f481884fd77c882e0e9406fb17b317"
},
{
"algorithm": "sha256",
"value": "0ccb04f040afb0216da1cea2c1db7a0b91d990ce061e232782aedbd498483649"
}
]
}
{
"path": "/usr/lib/libtls-standalone.so.1.0.0",
"digests": [
{
"algorithm": "sha1",
...
Analyzes ELF security hardening features extracted during SBOM generation
.files[] |
select(.executable != null and .executable.format == "elf") | # ELF binaries only
{
path: .location.path,
pie: .executable.elfSecurityFeatures.pie, # Position Independent Executable
stackCanary: .executable.elfSecurityFeatures.stackCanary, # Stack protection
nx: .executable.elfSecurityFeatures.nx # No-Execute bit
}
syft alpine:3.9.2 -o json | \
jq '.files[] |
select(.executable != null and .executable.format == "elf") |
{
path: .location.path,
pie: .executable.elfSecurityFeatures.pie,
stackCanary: .executable.elfSecurityFeatures.stackCanary,
nx: .executable.elfSecurityFeatures.nx
}'
{
"path": "/bin/busybox",
"pie": true,
"stackCanary": true,
"nx": true
}
{
"path": "/lib/ld-musl-aarch64.so.1",
"pie": false,
"stackCanary": true,
"nx": true
}
{
"path": "/lib/libcrypto.so.1.1",
"pie": false,
"stackCanary": true,
"nx": true
}
{
"path": "/lib/libssl.so.1.1",
"pie": false,
"stackCanary": true,
"nx": true
}
{
"path": "/lib/libz.so.1.2.11",
"pie": false,
"stackCanary": true,
"nx": true
}
{
"path": "/sbin/apk",
"pie": true,
"stackCanary": true,
"nx": true
}
{
"path": "/sbin/mkmntdirs",
"pie": true,
"stackCanary": false,
"nx": true
}
{
"path": "/usr/bin/getconf",
"pie": true,
"stackCanary": false,
"nx": true
}
{
"path": "/usr/bin/getent",
"pie": true,
"stackCanary": true,
"nx": true
}
{
"path": "/usr/bin/iconv",
"pie": true,
"stackCanary": true,
"nx": true
}
{
"path": "/usr/bin/scanelf",
"pie": true,
"stackCanary": true,
"nx": true
}
{
"path": "/usr/bin/ssl_client",
"pie": true,
"stackCanary": true,
"nx": true
}
{
"path": "/usr/lib/engines-1.1/afalg.so",
"pie": false,
"stackCanary": true,
"nx": true
}
{
"path": "/usr/lib/engines-1.1/capi.so",
"pie": false,
"stackCanary": false,
"nx": true
}
{
"path": "/usr/lib/engines-1.1/padlock.so",
"pie": false,
"stackCanary": false,
"nx": true
}
{
"path": "/usr/lib/libtls-standalone.so.1.0.0",
"pie": false,
"stackCanary": true,
"nx": true
}
Identifies which binaries depend on specific shared libraries for security audits
.files[] |
select(.executable != null and .executable.importedLibraries != null) |
select(.executable.importedLibraries[] | contains("libcrypto")) | # Find binaries using libcrypto
{
path: .location.path,
imports: .executable.importedLibraries # Shared library dependencies
}
syft alpine:3.9.2 -o json | \
jq '.files[] |
select(.executable != null and .executable.importedLibraries != null) |
select(.executable.importedLibraries[] | contains("libcrypto")) |
{
path: .location.path,
imports: .executable.importedLibraries
}'
{
"path": "/lib/libssl.so.1.1",
"imports": [
"libcrypto.so.1.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/sbin/apk",
"imports": [
"libssl.so.1.1",
"libcrypto.so.1.1",
"libz.so.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/lib/engines-1.1/afalg.so",
"imports": [
"libcrypto.so.1.1",
"libc.musl-aarch64.so.1"
]
}
{
"path": "/usr/lib/libtls-standalone.so.1.0.0",
"imports": [
"libssl.so.1.1",
"libcrypto.so.1.1",
"libc.musl-aarch64.so.1"
]
}
Extracts Package URLs for cross-tool SBOM correlation and vulnerability matching
.artifacts[] |
select(.purl != null and .purl != "") | # Filter packages with PURLs
{
name,
version,
purl # Package URL for cross-tool compatibility
}
syft alpine:3.9.2 -o json | \
jq '.artifacts[] |
select(.purl != null and .purl != "") |
{
name,
version,
purl
}'
{
"name": "alpine-baselayout",
"version": "3.1.0-r3",
"purl": "pkg:apk/alpine/alpine-baselayout@3.1.0-r3?arch=aarch64&distro=alpine-3.9.2"
}
{
"name": "alpine-keys",
"version": "2.1-r1",
"purl": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=aarch64&distro=alpine-3.9.2"
}
{
"name": "apk-tools",
"version": "2.10.3-r1",
"purl": "pkg:apk/alpine/apk-tools@2.10.3-r1?arch=aarch64&distro=alpine-3.9.2"
}
{
"name": "busybox",
"version": "1.29.3-r10",
"purl": "pkg:apk/alpine/busybox@1.29.3-r10?arch=aarch64&distro=alpine-3.9.2"
}
{
"name": "ca-certificates-cacert",
"version": "20190108-r0",
"purl": "pkg:apk/alpine/ca-certificates-cacert@20190108-r0?arch=aarch64&distro=alpine-3.9.2&upstream=ca-certificates"
}
{
"name": "libc-utils",
"version": "0.7.1-r0",
"purl": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=aarch64&distro=alpine-3.9.2&upstream=libc-dev"
}
{
"name": "libcrypto1.1",
"version": "1.1.1a-r1",
"purl": "pkg:apk/alpine/libcrypto1.1@1.1.1a-r1?arch=aarch64&distro=alpine-3.9.2&upstream=openssl"
}
{
"name": "libssl1.1",
"version": "1.1.1a-r1",
"purl": "pkg:apk/alpine/libssl1.1@1.1.1a-r1?arch=aarch64&distro=alpine-3.9.2&upstream=openssl"
}
{
"name": "libtls-standalone",
"version": "2.7.4-r6",
"purl": "pkg:apk/alpine/libtls-standalone@2.7.4-r6?arch=aarch64&distro=alpine-3.9.2"
}
{
"name": "musl",
"version": "1.1.20-r3",
"purl": "pkg:apk/alpine/musl@1.1.20-r3?arch=aarch64&distro=alpine-3.9.2"
}
{
"name": "musl-utils",
"version": "1.1.20-r3",
"purl": "pkg:apk/alpine/musl-utils@1.1.20-r3?arch=aarch64&distro=alpine-3.9.2&upstream=musl"
}
{
"name": "scanelf",
"version": "1.2.3-r0",
"purl": "pkg:apk/alpine/scanelf@1.2.3-r0?arch=aarch64&distro=alpine-3.9.2&upstream=pax-utils"
}
{
"name": "ssl_client",
"version": "1.29.3-r10",
"purl": "pkg:apk/alpine/ssl_client@1.29.3-r10?arch=aarch64&distro=alpine-3.9.2&upstream=busybox"
}
{
"name": "zlib",
"version": "1.2.11-r1",
"purl": "pkg:apk/alpine/zlib@1.2.11-r1?arch=aarch64&distro=alpine-3.9.2"
}
Groups and counts packages by programming language
[.artifacts[] | select(.language != null and .language != "")] |
group_by(.language) | # Group by programming language
map({
language: .[0].language,
count: length # Count packages per language
}) |
sort_by(.count) |
reverse # Highest count first
syft node:18-alpine -o json | \
jq '[.artifacts[] | select(.language != null and .language != "")] |
group_by(.language) |
map({
language: .[0].language,
count: length
}) |
sort_by(.count) |
reverse'
[
{
"language": "javascript",
"count": 204
}
]
Provides a summary count of packages per ecosystem
[.artifacts[]] |
group_by(.type) | # Group packages by ecosystem type
map({
type: .[0].type,
count: length # Count packages in each group
}) |
sort_by(.count) |
reverse # Highest count first
syft node:18-alpine -o json | \
jq '[.artifacts[]] |
group_by(.type) |
map({
type: .[0].type,
count: length
}) |
sort_by(.count) |
reverse'
[
{
"type": "npm",
"count": 204
},
{
"type": "apk",
"count": 17
},
{
"type": "binary",
"count": 1
}
]
Maps packages to their filesystem locations
.artifacts[] |
{
name,
version,
type,
locations: [.locations[] | .path] # All filesystem locations
}
syft alpine:3.9.2 -o json | \
jq '.artifacts[] |
{
name,
version,
type,
locations: [.locations[] | .path]
}'
{
"name": "alpine-baselayout",
"version": "3.1.0-r3",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "alpine-keys",
"version": "2.1-r1",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "apk-tools",
"version": "2.10.3-r1",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "busybox",
"version": "1.29.3-r10",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "ca-certificates-cacert",
"version": "20190108-r0",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "libc-utils",
"version": "0.7.1-r0",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "libcrypto1.1",
"version": "1.1.1a-r1",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "libssl1.1",
"version": "1.1.1a-r1",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "libtls-standalone",
"version": "2.7.4-r6",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "musl",
"version": "1.1.20-r3",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "musl-utils",
"version": "1.1.20-r3",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "scanelf",
"version": "1.2.3-r0",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "ssl_client",
"version": "1.29.3-r10",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
{
"name": "zlib",
"version": "1.2.11-r1",
"type": "apk",
"locations": [
"/lib/apk/db/installed"
]
}
Filters files by MIME type, useful for finding specific file types
.files[] |
select(.metadata.mimeType == "application/x-sharedlib") | # Filter by MIME type
{
path: .location.path,
mimeType: .metadata.mimeType,
size: .metadata.size # File size in bytes
}
syft alpine:3.9.2 -o json | \
jq '.files[] |
select(.metadata.mimeType == "application/x-sharedlib") |
{
path: .location.path,
mimeType: .metadata.mimeType,
size: .metadata.size
}'
{
"path": "/bin/busybox",
"mimeType": "application/x-sharedlib",
"size": 841320
}
{
"path": "/lib/ld-musl-aarch64.so.1",
"mimeType": "application/x-sharedlib",
"size": 616960
}
{
"path": "/lib/libcrypto.so.1.1",
"mimeType": "application/x-sharedlib",
"size": 2321984
}
{
"path": "/lib/libssl.so.1.1",
"mimeType": "application/x-sharedlib",
"size": 515376
}
{
"path": "/lib/libz.so.1.2.11",
"mimeType": "application/x-sharedlib",
"size": 91888
}
{
"path": "/sbin/apk",
"mimeType": "application/x-sharedlib",
"size": 218928
}
{
"path": "/sbin/mkmntdirs",
"mimeType": "application/x-sharedlib",
"size": 5712
}
{
"path": "/usr/bin/getconf",
"mimeType": "application/x-sharedlib",
"size": 33544
}
{
"path": "/usr/bin/getent",
"mimeType": "application/x-sharedlib",
"size": 48704
}
{
"path": "/usr/bin/iconv",
"mimeType": "application/x-sharedlib",
"size": 21968
}
{
"path": "/usr/bin/scanelf",
"mimeType": "application/x-sharedlib",
"size": 79592
}
{
"path": "/usr/bin/ssl_client",
"mimeType": "application/x-sharedlib",
"size": 9808
}
{
"path": "/usr/lib/engines-1.1/afalg.so",
"mimeType": "application/x-sharedlib",
"size": 18568
}
{
"path": "/usr/lib/engines-1.1/capi.so",
"mimeType": "application/x-sharedlib",
"size": 5672
}
{
"path": "/usr/lib/engines-1.1/padlock.so",
"mimeType": "application/x-sharedlib",
"size": 5672
}
{
"path": "/usr/lib/libtls-standalone.so.1.0.0",
"mimeType": "application/x-sharedlib",
"size": 96032
}
Traverses package dependency graph using relationships
. as $root |
.artifactRelationships[] |
select(.type == "dependency-of") | # Filter for dependency relationships
.parent as $parent |
.child as $child |
{
parent: ($root.artifacts[] | select(.id == $parent).name), # Parent package name
child: ($root.artifacts[] | select(.id == $child).name) # Dependency name
}
syft node:18-alpine -o json | \
jq '. as $root |
.artifactRelationships[] |
select(.type == "dependency-of") |
.parent as $parent |
.child as $child |
{
parent: ($root.artifacts[] | select(.id == $parent).name),
child: ($root.artifacts[] | select(.id == $child).name)
}'
{
"parent": "ca-certificates-bundle",
"child": "apk-tools"
}
{
"parent": "alpine-keys",
"child": "alpine-release"
}
{
"parent": "alpine-baselayout-data",
"child": "alpine-baselayout"
}
{
"parent": "musl",
"child": "ssl_client"
}
{
"parent": "musl",
"child": "libgcc"
}
{
"parent": "musl",
"child": "libstdc++"
}
{
"parent": "musl",
"child": "musl-utils"
}
{
"parent": "musl",
"child": "libssl3"
}
{
"parent": "musl",
"child": "busybox"
}
{
"parent": "musl",
"child": "apk-tools"
}
{
"parent": "musl",
"child": "scanelf"
}
{
"parent": "musl",
"child": "libcrypto3"
}
{
"parent": "musl",
"child": "zlib"
}
{
"parent": "libgcc",
"child": "libstdc++"
}
{
"parent": "libssl3",
"child": "ssl_client"
}
{
"parent": "libssl3",
"child": "apk-tools"
}
{
"parent": "busybox",
"child": "busybox-binsh"
}
{
"parent": "scanelf",
"child": "musl-utils"
}
{
"parent": "busybox-binsh",
"child": "alpine-baselayout"
}
{
"parent": "libcrypto3",
"child": "ssl_client"
}
{
"parent": "libcrypto3",
"child": "libssl3"
}
{
"parent": "libcrypto3",
"child": "apk-tools"
}
{
"parent": "zlib",
"child": "apk-tools"
}
Finds orphaned files not associated with any package
. as $root |
[.files[].id] as $allFiles | # All file IDs
[.artifactRelationships[] | select(.type == "contains") | .child] as $ownedFiles | # Package-owned files
($allFiles - $ownedFiles) as $orphans | # Set subtraction for unowned files
$root.files[] |
select(.id as $id | $orphans | index($id)) | # Filter to orphaned files
.location.path
syft alpine:3.9.2 -o json | \
jq '. as $root |
[.files[].id] as $allFiles |
[.artifactRelationships[] | select(.type == "contains") | .child] as $ownedFiles |
($allFiles - $ownedFiles) as $orphans |
$root.files[] |
select(.id as $id | $orphans | index($id)) |
.location.path'
"/lib/apk/db/installed"
Identifies the top 10 largest files by size
[.files[] |
{
path: .location.path,
size: .metadata.size,
mimeType: .metadata.mimeType
}] |
sort_by(.size) |
reverse | # Largest first
.[0:10] # Top 10 files
syft alpine:3.9.2 -o json | \
jq '[.files[] |
{
path: .location.path,
size: .metadata.size,
mimeType: .metadata.mimeType
}] |
sort_by(.size) |
reverse |
.[0:10]'
[
{
"path": "/lib/libcrypto.so.1.1",
"size": 2321984,
"mimeType": "application/x-sharedlib"
},
{
"path": "/bin/busybox",
"size": 841320,
"mimeType": "application/x-sharedlib"
},
{
"path": "/lib/ld-musl-aarch64.so.1",
"size": 616960,
"mimeType": "application/x-sharedlib"
},
{
"path": "/lib/libssl.so.1.1",
"size": 515376,
"mimeType": "application/x-sharedlib"
},
{
"path": "/etc/ssl/cert.pem",
"size": 232598,
"mimeType": "text/plain"
},
{
"path": "/sbin/apk",
"size": 218928,
"mimeType": "application/x-sharedlib"
},
{
"path": "/usr/lib/libtls-standalone.so.1.0.0",
"size": 96032,
"mimeType": "application/x-sharedlib"
},
{
"path": "/lib/libz.so.1.2.11",
"size": 91888,
"mimeType": "application/x-sharedlib"
},
{
"path": "/usr/bin/scanelf",
"size": 79592,
"mimeType": "application/x-sharedlib"
},
{
"path": "/usr/bin/getent",
"size": 48704,
"mimeType": "application/x-sharedlib"
}
]
Lists Common Platform Enumeration identifiers for vulnerability scanning
.artifacts[] |
select(.cpes != null and (.cpes | length) > 0) | # Filter packages with CPEs
{
name,
version,
cpes: [.cpes[].cpe] # Extract CPE strings
}
syft alpine:3.9.2 -o json | \
jq '.artifacts[] |
select(.cpes != null and (.cpes | length) > 0) |
{
name,
version,
cpes: [.cpes[].cpe]
}'
{
"name": "alpine-baselayout",
"version": "3.1.0-r3",
"cpes": [
"cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.1.0-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.1.0-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.1.0-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.1.0-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine:alpine-baselayout:3.1.0-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine:alpine_baselayout:3.1.0-r3:*:*:*:*:*:*:*"
]
}
{
"name": "alpine-keys",
"version": "2.1-r1",
"cpes": [
"cpe:2.3:a:alpine-keys:alpine-keys:2.1-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine-keys:alpine_keys:2.1-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine_keys:alpine-keys:2.1-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine_keys:alpine_keys:2.1-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine:alpine-keys:2.1-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:alpine:alpine_keys:2.1-r1:*:*:*:*:*:*:*"
]
}
{
"name": "apk-tools",
"version": "2.10.3-r1",
"cpes": [
"cpe:2.3:a:apk-tools:apk-tools:2.10.3-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:apk-tools:apk_tools:2.10.3-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:apk_tools:apk-tools:2.10.3-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:apk_tools:apk_tools:2.10.3-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:apk:apk-tools:2.10.3-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:apk:apk_tools:2.10.3-r1:*:*:*:*:*:*:*"
]
}
{
"name": "busybox",
"version": "1.29.3-r10",
"cpes": [
"cpe:2.3:a:busybox:busybox:1.29.3-r10:*:*:*:*:*:*:*"
]
}
{
"name": "ca-certificates-cacert",
"version": "20190108-r0",
"cpes": [
"cpe:2.3:a:ca-certificates-cacert:ca-certificates-cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca-certificates-cacert:ca_certificates_cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca_certificates_cacert:ca-certificates-cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca_certificates_cacert:ca_certificates_cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca-certificates:ca-certificates-cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca-certificates:ca_certificates_cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca_certificates:ca-certificates-cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca_certificates:ca_certificates_cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:mozilla:ca-certificates-cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:mozilla:ca_certificates_cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca:ca-certificates-cacert:20190108-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:ca:ca_certificates_cacert:20190108-r0:*:*:*:*:*:*:*"
]
}
{
"name": "libc-utils",
"version": "0.7.1-r0",
"cpes": [
"cpe:2.3:a:libc-utils:libc-utils:0.7.1-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:libc-utils:libc_utils:0.7.1-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:libc_utils:libc-utils:0.7.1-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:libc_utils:libc_utils:0.7.1-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:libc:libc-utils:0.7.1-r0:*:*:*:*:*:*:*",
"cpe:2.3:a:libc:libc_utils:0.7.1-r0:*:*:*:*:*:*:*"
]
}
{
"name": "libcrypto1.1",
"version": "1.1.1a-r1",
"cpes": [
"cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1a-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:libcrypto1.1:libcrypto:1.1.1a-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:libcrypto:libcrypto1.1:1.1.1a-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:libcrypto:libcrypto:1.1.1a-r1:*:*:*:*:*:*:*"
]
}
{
"name": "libssl1.1",
"version": "1.1.1a-r1",
"cpes": [
"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1a-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:libssl1.1:libssl:1.1.1a-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:libssl:libssl1.1:1.1.1a-r1:*:*:*:*:*:*:*",
"cpe:2.3:a:libssl:libssl:1.1.1a-r1:*:*:*:*:*:*:*"
]
}
{
"name": "libtls-standalone",
"version": "2.7.4-r6",
"cpes": [
"cpe:2.3:a:libtls-standalone:libtls-standalone:2.7.4-r6:*:*:*:*:*:*:*",
"cpe:2.3:a:libtls-standalone:libtls_standalone:2.7.4-r6:*:*:*:*:*:*:*",
"cpe:2.3:a:libtls_standalone:libtls-standalone:2.7.4-r6:*:*:*:*:*:*:*",
"cpe:2.3:a:libtls_standalone:libtls_standalone:2.7.4-r6:*:*:*:*:*:*:*",
"cpe:2.3:a:libtls:libtls-standalone:2.7.4-r6:*:*:*:*:*:*:*",
"cpe:2.3:a:libtls:libtls_standalone:2.7.4-r6:*:*:*:*:*:*:*"
]
}
{
"name": "musl",
"version": "1.1.20-r3",
"cpes": [
"cpe:2.3:a:musl-libc:musl:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl_libc:musl:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl:musl:1.1.20-r3:*:*:*:*:*:*:*"
]
}
{
"name": "musl-utils",
"version": "1.1.20-r3",
"cpes": [
"cpe:2.3:a:musl-utils:musl-utils:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl-utils:musl_utils:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl_utils:musl-utils:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl_utils:musl_utils:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl:musl-utils:1.1.20-r3:*:*:*:*:*:*:*",
"cpe:2.3:a:musl:musl_utils:1.1.20-r3:*:*:*:*:*:*:*"
]
}
{
"name": "scanelf",
"version": "1.2.3-r0",
"cpes": [
"cpe:2.3:a:scanelf:scanelf:1.2.3-r0:*:*:*:*:*:*:*"
]
}
{
"name": "ssl_client",
"version": "1.29.3-r10",
"cpes": [
"cpe:2.3:a:ssl-client:ssl-client:1.29.3-r10:*:*:*:*:*:*:*",
"cpe:2.3:a:ssl-client:ssl_client:1.29.3-r10:*:*:*:*:*:*:*",
"cpe:2.3:a:ssl_client:ssl-client:1.29.3-r10:*:*:*:*:*:*:*",
"cpe:2.3:a:ssl_client:ssl_client:1.29.3-r10:*:*:*:*:*:*:*",
"cpe:2.3:a:ssl:ssl-client:1.29.3-r10:*:*:*:*:*:*:*",
"cpe:2.3:a:ssl:ssl_client:1.29.3-r10:*:*:*:*:*:*:*"
]
}
{
"name": "zlib",
"version": "1.2.11-r1",
"cpes": [
"cpe:2.3:a:zlib:zlib:1.2.11-r1:*:*:*:*:*:*:*"
]
}
Identifies packages missing license information for compliance audits
.artifacts[] |
select(.licenses == null or (.licenses | length) == 0) | # Packages without license info
{
name,
version,
type,
locations: [.locations[].path] # Where package is installed
}
syft httpd:2.4.65 -o json | \
jq '.artifacts[] |
select(.licenses == null or (.licenses | length) == 0) |
{
name,
version,
type,
locations: [.locations[].path]
}'
{
"name": "httpd",
"version": "2.4.65",
"type": "binary",
"locations": ["/usr/local/apache2/bin/httpd"]
}
Lists packages with CPE identifiers indicating potential CVE matches
.artifacts[] |
select(.cpes != null and (.cpes | length) > 0) | # Packages with CPE identifiers
{
name,
version,
type,
cpeCount: (.cpes | length) # Number of CPE matches
}
syft alpine:3.9.2 -o json | \
jq '.artifacts[] |
select(.cpes != null and (.cpes | length) > 0) |
{
name,
version,
type,
cpeCount: (.cpes | length)
}'
{
"name": "alpine-baselayout",
"version": "3.1.0-r3",
"type": "apk",
"cpeCount": 6
}
{
"name": "alpine-keys",
"version": "2.1-r1",
"type": "apk",
"cpeCount": 6
}
{
"name": "apk-tools",
"version": "2.10.3-r1",
"type": "apk",
"cpeCount": 6
}
{
"name": "busybox",
"version": "1.29.3-r10",
"type": "apk",
"cpeCount": 1
}
{
"name": "ca-certificates-cacert",
"version": "20190108-r0",
"type": "apk",
"cpeCount": 12
}
{
"name": "libc-utils",
"version": "0.7.1-r0",
"type": "apk",
"cpeCount": 6
}
{
"name": "libcrypto1.1",
"version": "1.1.1a-r1",
"type": "apk",
"cpeCount": 4
}
{
"name": "libssl1.1",
"version": "1.1.1a-r1",
"type": "apk",
"cpeCount": 4
}
{
"name": "libtls-standalone",
"version": "2.7.4-r6",
"type": "apk",
"cpeCount": 6
}
{
"name": "musl",
"version": "1.1.20-r3",
"type": "apk",
"cpeCount": 3
}
{
"name": "musl-utils",
"version": "1.1.20-r3",
"type": "apk",
"cpeCount": 6
}
{
"name": "scanelf",
"version": "1.2.3-r0",
"type": "apk",
"cpeCount": 1
}
{
"name": "ssl_client",
"version": "1.29.3-r10",
"type": "apk",
"cpeCount": 6
}
{
"name": "zlib",
"version": "1.2.11-r1",
"type": "apk",
"cpeCount": 1
}
Install jq to query JSON output:
brew install jqapt-get install jqdnf install jqCommon jq query issues:
jq 'keys' to list available top-level keys, then explore nested structuresselect() when filtering (e.g., .artifacts[] | select(.type=="apk")).[0] or iterate with .[]When using jq in shell scripts:
jq '.artifacts' not jq ".artifacts")set -o pipefail to catch jq errors in pipelinesFor very large JSON files:
--stream flag for memory-efficient processing.[] on large arrays; be specific about what you needAdditional resources:
site-packages)requirements.txt)--select-catalogers to filter, add, or remove catalogers--override-default-catalogers to replace all defaultsCatalogers are Syft’s detection modules that identify software packages in your projects.
Each cataloger specializes in finding specific types of packages—for example, python-package-cataloger finds Python dependencies declared in requirements.txt,
while python-installed-package-cataloger finds Python packages that have already been installed.
Syft includes dozens of catalogers covering languages like Python, Java, Go, JavaScript, Ruby, Rust, and more, as well as OS packages (APK, RPM, DEB) and binary formats.
Syft uses different cataloger sets depending on what you’re scanning:
| Scan Type | Default Catalogers | What They Find | Example |
|---|---|---|---|
| Container Image | Image-specific catalogers | Installed packages only | Python packages in site-packages |
| Directory | Directory-specific catalogers | Installed packages + declared dependencies | Python packages in site-packages AND requirements.txt |
This behavior ensures accurate results across different contexts. When you scan an image, Syft assumes installation steps have completed –this way you are getting results for software that is positively present. When you scan a directory (like a source code repository), Syft looks for both what’s installed and what’s declared as a dependency –this way you are getting results for not only what’s installed but also what you intend to install.
Most of the time, files that hint at the intent to install software do not have enough information in them to determine the exact version of the package that would be installed.
For example, a requirements.txt file might specify a package without a version, or with a version range.
By looking at installed packages in an image, after any build tooling has been invoked, Syft can provide more accurate version information.
Scanning an image:
syft <container-image> --select-catalogers python
# Uses: python-installed-package-cataloger
# Finds: Packages in site-packages directories
Scanning a directory:
syft <source-directory> --select-catalogers python
# Uses: python-installed-package-cataloger, python-package-cataloger
# Finds: Packages in site-packages + requirements.txt, setup.py, Pipfile, etc.
The most reliable way to see which catalogers Syft used is to check the SBOM itself. Every SBOM captures both the catalogers that were requested and those that actually ran:
syft busybox:latest -o json | jq '.descriptor.configuration.catalogers'
Output:
{
"requested": {
"default": [
"image",
"file"
]
},
"used": [
"alpm-db-cataloger",
"apk-db-cataloger",
"binary-classifier-cataloger",
"bitnami-cataloger",
"cargo-auditable-binary-cataloger",
"conan-info-cataloger",
"dotnet-deps-binary-cataloger",
"dotnet-packages-lock-cataloger",
"dpkg-db-cataloger",
"elf-binary-package-cataloger",
...
]
}
This shows what catalogers were attempted, not just what found packages. The requested field shows your cataloger selection strategy, while used lists every cataloger that ran.
You can also see cataloger activity in real-time using verbose logging, though this is less comprehensive and not as direct.
Use the syft cataloger list command to see all available catalogers, their tags, and test selection expressions.
syft cataloger list
Output shows file and package catalogers with their tags:
┌───────────────────────────┬───────────────────────┐
│ FILE CATALOGER │ TAGS │
├───────────────────────────┼───────────────────────┤
│ file-content-cataloger │ content, file │
│ file-digest-cataloger │ digest, file │
│ file-executable-cataloger │ binary-metadata, file │
│ file-metadata-cataloger │ file, file-metadata │
└───────────────────────────┴───────────────────────┘
┌────────────────────────────────────┬────────────────────────────────────────────────────────┐
│ PACKAGE CATALOGER │ TAGS │
├────────────────────────────────────┼────────────────────────────────────────────────────────┤
│ python-installed-package-cataloger │ directory, image, installed, language, package, python │
│ python-package-cataloger │ declared, directory, language, package, python │
│ java-archive-cataloger │ directory, image, installed, java, language, maven │
│ go-module-binary-cataloger │ binary, directory, go, golang, image, installed │
│ ... │ │
└────────────────────────────────────┴────────────────────────────────────────────────────────┘
Preview which catalogers a selection expression would use:
syft cataloger list --select-catalogers python
Default selections: 1
• 'all'
Selection expressions: 1
• 'python' (intersect)
┌────────────────────────────────────┬────────────────────────────────────────────────────────┐
│ PACKAGE CATALOGER │ TAGS │
├────────────────────────────────────┼────────────────────────────────────────────────────────┤
│ python-installed-package-cataloger │ directory, image, installed, language, package, python │
│ python-package-cataloger │ declared, directory, language, package, python │
└────────────────────────────────────┴────────────────────────────────────────────────────────┘
This shows exactly which catalogers your selection expression will use, helping you verify your configuration before running a scan.
Get cataloger information in different formats:
# Table format (default)
syft cataloger list
# JSON format (useful for automation)
syft cataloger list -o json
You can refer to catalogers in two ways:
java-pom-cataloger, go-module-binary-cataloger)java, python, image, directory)Common tags include:
python, java, go, javascript, ruby, rust, etc.image, directoryinstalled, declaredmaven, npm, cargo, composer, etc.Syft provides two flags for controlling catalogers:
--select-catalogers: Modify Defaults
Use this flag to adjust the default cataloger set. This is the recommended approach for most use cases.
Syntax:
| Operation | Syntax | Example | Description |
|---|---|---|---|
| Filter | <tag> | --select-catalogers java | Use only Java catalogers from the defaults |
| Add | +<name> | --select-catalogers +sbom-cataloger | Add a specific cataloger to defaults |
| Remove | -<name-or-tag> | --select-catalogers -rpm | Remove catalogers by name or tag |
| Combine | <tag>,+<name>,-<tag> | --select-catalogers java,+sbom-cataloger,-maven | Multiple operations together |
Selection Logic:
+ or -), filter to only those tagged catalogers-<name-or-tag>+<name>+) are always included, regardless of other filters or removals.--override-default-catalogers: Replace Defaults
Use this flag to completely replace Syft’s default cataloger selection. This bypasses the automatic image vs. directory behavior.
Syntax:
--override-default-catalogers <comma-separated-names-or-tags>
When to use:
--select-catalogers for most cases.Scan for only Python packages using defaults for your scan type:
syft <target> --select-catalogers python
Scan for only Java and Go packages:
syft <target> --select-catalogers java,go
Use defaults and also include the SBOM cataloger (which finds embedded SBOMs):
syft <target> --select-catalogers +sbom-cataloger
Scan with defaults plus both SBOM and binary catalogers:
syft <target> --select-catalogers +sbom-cataloger,+binary-classifier-cataloger
Use defaults but exclude all RPM-related catalogers:
syft <target> --select-catalogers -rpm
Scan with defaults but remove Java JAR cataloger specifically:
syft <target> --select-catalogers -java-archive-cataloger
Scan for Go packages, always include SBOM cataloger, but exclude binary analysis:
syft <container-image> --select-catalogers go,+sbom-cataloger,-binary
# Result: go-module-binary-cataloger, sbom-cataloger
# (binary cataloger excluded even though it's in go tag)
Filter to Java, add POM cataloger, remove Gradle:
syft <directory> --select-catalogers java,+java-pom-cataloger,-gradle
Use only binary analysis catalogers regardless of scan type:
syft <target> --override-default-catalogers binary
# Result: binary-cataloger, cargo-auditable-binary-cataloger,
# dotnet-portable-executable-cataloger, go-module-binary-cataloger
Use exactly two specific catalogers:
syft <target> --override-default-catalogers go-module-binary-cataloger,go-module-file-cataloger
Use all directory catalogers even when scanning an image:
syft <container-image> --override-default-catalogers directory
Check which catalogers ran and whether they found packages:
# See which catalogers were used
syft <target> -o json | jq '.descriptor.configuration.catalogers.used'
# See which catalogers found packages
syft <target> -o json | jq '.artifacts[].foundBy'
# See packages found by a specific cataloger
syft <target> -o json | jq '.artifacts[] | select(.foundBy == "python-package-cataloger") | .name'
If your expected cataloger isn’t in the used list:
syft cataloger list --select-catalogers <tag> to preview- or not included it in your filtersite-packages for Python)If the cataloger ran but found nothing, check that:
Check the SBOM’s cataloger configuration:
syft <target> -o json | jq '.descriptor.configuration.catalogers.requested'
This shows the selection strategy used:
"default": ["image", "file"] indicates image defaults"default": ["directory", "file"] indicates directory defaultspython-package-cataloger)python includes both python-package-cataloger and python-installed-package-cataloger)Use tags when you want to downselect from the default catalogers, and names when you need to target a specific cataloger.
--select-catalogers: Respects Syft’s automatic image/directory behavior, safer for most use cases--override-default-catalogers: Ignores scan type, gives complete control, requires more knowledgeWhen in doubt, use --select-catalogers.
For reference, here’s the formal logic Syft uses for cataloger selection:
image_catalogers = all_catalogers AND catalogers_tagged("image")
directory_catalogers = all_catalogers AND catalogers_tagged("directory")
default_catalogers = image_catalogers OR directory_catalogers
sub_selected_catalogers = default_catalogers INTERSECT catalogers_tagged(TAG) [ UNION sub_selected_catalogers ... ]
base_catalogers = default_catalogers OR sub_selected_catalogers
final_set = (base_catalogers SUBTRACT removed_catalogers) UNION added_catalogers
This logic applies when using --select-catalogers. The --override-default-catalogers flag bypasses the default cataloger selection entirely and starts with the specified catalogers instead.
Additional resources:
file.metadata.selection can be one of all, none, or owned-by-package--exclude '**/node_modules/**'By default, Syft catalogs file details and digests for files owned by discovered packages. You can change this behavior using the SYFT_FILE_METADATA_SELECTION environment variable or the file.metadata.selection configuration option.
Available options:
all: capture all files from the search spaceowned-by-package: capture only files owned by packages (default)none: disable file information captureYou can exclude specific files and paths from scanning using glob patterns with the --exclude parameter. Use multiple --exclude flags to specify multiple patterns.
# Exclude a specific directory
syft <source> --exclude /etc
# Exclude files by pattern
syft <source> --exclude './out/**/*.json'
# Combine multiple exclusions
syft <source> --exclude './out/**/*.json' --exclude /etc --exclude '**/*.log'
Always wrap glob patterns in single quotes to prevent your shell from expanding wildcards:
syft <source> --exclude '**/*.json' # Correct
syft <source> --exclude **/*.json # May not work as expected
How Syft interprets exclusion patterns depends on whether you’re scanning an image or a directory.
When scanning container images, Syft scans the entire filesystem. Use absolute paths for exclusions:
# Exclude system directories
syft alpine:latest --exclude /etc --exclude /var
# Exclude files by pattern across entire filesystem
syft alpine:latest --exclude '/usr/**/*.txt'
When scanning directories, Syft resolves exclusion patterns relative to the specified directory. All exclusion patterns must begin with ./, */, or **/.
# Scanning /usr/foo
syft /usr/foo --exclude ./package.json # Excludes /usr/foo/package.json
syft /usr/foo --exclude '**/package.json' # Excludes all package.json files under /usr/foo
syft /usr/foo --exclude './out/**' # Excludes everything under /usr/foo/out
Path prefix requirements for directory scans:
| Pattern | Meaning | Example |
|---|---|---|
./ | Relative to scan directory root | ./config.json |
*/ | One level of directories | */temp |
**/ | Any depth of directories | **/node_modules |
/etc or /usr/**/*.txt. The pattern must begin with ./, */, or **/ to be resolved relative to your specified scan directory.# Exclude all JSON files
syft <source> --exclude '**/*.json'
# Exclude build output directories
syft <source> --exclude '**/dist/**' --exclude '**/build/**'
# Exclude dependency directories
syft <source> --exclude '**/node_modules/**' --exclude '**/vendor/**'
# Exclude test files
syft <source> --exclude '**/*_test.go' --exclude '**/test/**'
Why is my exclusion pattern not working?
Common issues:
'**/*.json' not **/*.json)./, */, or **/ prefix; absolute paths like /etc won’t work**/*.txt not .*\.txt)What’s the difference between owned-by-package and all file metadata?
owned-by-package (default): Only catalogs files that belong to discovered packages (e.g., files in an RPM’s file manifest)all: Catalogs every file in the scan space, which significantly increases SBOM size and scan timeUse all when you need complete file listings for compliance or audit purposes.
Can I exclude directories based on .gitignore?
Not directly, but you can convert .gitignore patterns to --exclude flags. Note that .gitignore syntax differs from glob patterns, so you may need to adjust patterns (e.g., node_modules/ becomes **/node_modules/**).
Do exclusions affect package detection?
Yes! If you exclude a file that a cataloger needs (like package.json or requirements.txt), Syft won’t detect packages from that file. Exclude carefully to avoid missing dependencies.
Additional resources:
syft <image> -o template -t ./template.tmplsyft <image> -o json)Syft lets you define custom output formats using Go templates. This is useful for generating custom reports, integrating with specific tools, or extracting only the data you need.
Set the output format to template and specify the template file path:
syft <image> -o template -t ./path/to/custom.tmpl
You can also configure the template path in your configuration file:
#.syft.yaml
format:
template:
path: "/path/to/template.tmpl"
Templates receive the same data structure as the syft-json output format. The Syft JSON schema is the source of truth for all available fields and their structure.
To see what data is available:
# View the full JSON structure
syft <image> -o json
# Explore specific fields
syft <image> -o json | jq '.artifacts[0]'
Key fields commonly used in templates:
.artifacts - Array of discovered packages.files - Array of discovered files.source - Information about what was scanned.distro - Detected Linux distribution (if applicable).descriptor - Syft version and configurationCommon package (artifact) fields:
.name, .version, .type - Basic package info.licenses - License information (array).purl - Package URL.cpes - Common Platform Enumerations.locations - Where the package was foundSyft templates support:
| Function | Arguments | Description |
|---|---|---|
getLastIndex | collection | Returns the last index of a slice (length - 1), useful for comma-separated lists |
hasField | obj, field | Checks if a field exists on an object, returns boolean |
The following examples show template source code and the rendered output when run against alpine:3.9.2:
"Package","Version","Type","Found by"
{{- range .artifacts}}
"{{.name}}","{{.version}}","{{.type}}","{{.foundBy}}"
{{- end}}
"Package","Version","Type","Found by"
"alpine-baselayout","3.1.0-r3","apk","apk-db-cataloger"
"alpine-keys","2.1-r1","apk","apk-db-cataloger"
"apk-tools","2.10.3-r1","apk","apk-db-cataloger"
"busybox","1.29.3-r10","apk","apk-db-cataloger"
"ca-certificates-cacert","20190108-r0","apk","apk-db-cataloger"
"libc-utils","0.7.1-r0","apk","apk-db-cataloger"
"libcrypto1.1","1.1.1a-r1","apk","apk-db-cataloger"
"libssl1.1","1.1.1a-r1","apk","apk-db-cataloger"
"libtls-standalone","2.7.4-r6","apk","apk-db-cataloger"
"musl","1.1.20-r3","apk","apk-db-cataloger"
"musl-utils","1.1.20-r3","apk","apk-db-cataloger"
"scanelf","1.2.3-r0","apk","apk-db-cataloger"
"ssl_client","1.29.3-r10","apk","apk-db-cataloger"
"zlib","1.2.11-r1","apk","apk-db-cataloger"
{{range .artifacts}}
{{- if eq .type "apk"}}
{{.name}}@{{.version}}{{end}}
{{- end}}
alpine-baselayout@3.1.0-r3
alpine-keys@2.1-r1
apk-tools@2.10.3-r1
busybox@1.29.3-r10
ca-certificates-cacert@20190108-r0
libc-utils@0.7.1-r0
libcrypto1.1@1.1.1a-r1
libssl1.1@1.1.1a-r1
libtls-standalone@2.7.4-r6
musl@1.1.20-r3
musl-utils@1.1.20-r3
scanelf@1.2.3-r0
ssl_client@1.29.3-r10
zlib@1.2.11-r1
# SBOM Report: {{.source.metadata.userInput}}
Scanned: {{.source.name}}:{{.source.version}} ({{.source.type}})
{{- if .distro}}
Distribution: {{.distro.prettyName}}
{{- end}}
## Packages ({{len .artifacts}})
| Package | Version | Type |
|---------|---------|------|
{{- range .artifacts}}
| {{.name}} | {{.version}} | {{.type}} |
{{- end}}
# SBOM Report: alpine:3.9.2
Scanned: alpine:3.9.2 (image)
Distribution: Alpine Linux v3.9
## Packages (14)
| Package | Version | Type |
| ---------------------- | ----------- | ---- |
| alpine-baselayout | 3.1.0-r3 | apk |
| alpine-keys | 2.1-r1 | apk |
| apk-tools | 2.10.3-r1 | apk |
| busybox | 1.29.3-r10 | apk |
| ca-certificates-cacert | 20190108-r0 | apk |
| libc-utils | 0.7.1-r0 | apk |
| libcrypto1.1 | 1.1.1a-r1 | apk |
| libssl1.1 | 1.1.1a-r1 | apk |
| libtls-standalone | 2.7.4-r6 | apk |
| musl | 1.1.20-r3 | apk |
| musl-utils | 1.1.20-r3 | apk |
| scanelf | 1.2.3-r0 | apk |
| ssl_client | 1.29.3-r10 | apk |
| zlib | 1.2.11-r1 | apk |
{{range .artifacts}}
{{- if .licenses}}
{{.name}}: {{range .licenses}}{{.value}} {{end}}{{end}}
{{- end}}
alpine-baselayout: GPL-2.0
alpine-keys: MIT
apk-tools: GPL2
busybox: GPL-2.0
ca-certificates-cacert: GPL-2.0-or-later MPL-2.0
libc-utils: BSD
libcrypto1.1: OpenSSL
libssl1.1: OpenSSL
libtls-standalone: ISC
musl: MIT
musl-utils: BSD GPL2+ MIT
scanelf: GPL-2.0
ssl_client: GPL-2.0
zlib: zlib
{
"scanned": "{{.source.metadata.userInput}}",
"packages": [
{{- $last := sub (len .artifacts) 1}}
{{- range $i, $pkg := .artifacts}}
{"name": "{{$pkg.name}}", "version": "{{$pkg.version}}"}{{if ne $i $last}},{{end}}
{{- end}}
]
}
{
"scanned": "alpine:3.9.2",
"packages": [
{ "name": "alpine-baselayout", "version": "3.1.0-r3" },
{ "name": "alpine-keys", "version": "2.1-r1" },
{ "name": "apk-tools", "version": "2.10.3-r1" },
{ "name": "busybox", "version": "1.29.3-r10" },
{ "name": "ca-certificates-cacert", "version": "20190108-r0" },
{ "name": "libc-utils", "version": "0.7.1-r0" },
{ "name": "libcrypto1.1", "version": "1.1.1a-r1" },
{ "name": "libssl1.1", "version": "1.1.1a-r1" },
{ "name": "libtls-standalone", "version": "2.7.4-r6" },
{ "name": "musl", "version": "1.1.20-r3" },
{ "name": "musl-utils", "version": "1.1.20-r3" },
{ "name": "scanelf", "version": "1.2.3-r0" },
{ "name": "ssl_client", "version": "1.29.3-r10" },
{ "name": "zlib", "version": "1.2.11-r1" }
]
}
{{range .files -}}
{{- if .executable}}
{{.location.path}}: {{range .digests}}{{if eq .algorithm "sha256"}}{{.value}}{{end}}{{end}}
{{end}}
{{- end}}
/bin/busybox: 2c1276c3c02ccec8a0e1737d3144cdf03db883f479c86fbd9c7ea4fd9b35eac5
/lib/ld-musl-aarch64.so.1: 0132814479f1acc1e264ef59f73fd91563235897e8dc1bd52765f974cde382ca
/lib/libcrypto.so.1.1: 6c597c8ad195eeb7a9130ad832dfa4cbf140f42baf96304711b2dbd43ba8e617
/lib/libssl.so.1.1: fb72f4615fb4574bd6eeabfdb86be47012618b9076d75aeb1510941c585cae64
/lib/libz.so.1.2.11: 19e790eb36a09eba397b5af16852f3bea21a242026bbba3da7b16442b8ba305b
/sbin/apk: 22d7d85bd24923f1f274ce765d16602191097829e22ac632748302817ce515d8
/sbin/mkmntdirs: a14a5a28525220224367616ef46d4713ef7bd00d22baa761e058e8bdd4c0af1b
/usr/bin/getconf: 82bcde66ead19bc3b9ff850f66c2dbf5eaff36d481f1ec154100f73f6265d2ef
/usr/bin/getent: 53ffb508150e91838d795831e8ecc71f2bc3a7db036c6d7f9512c3973418bb5e
/usr/bin/iconv: 1c99d1f4edcb8da6db1da60958051c413de45a4c15cd3b7f7285ed87f9a250ff
/usr/bin/scanelf: 908da485ad2edea35242f8989c7beb9536414782abc94357c72b7d840bb1fda2
/usr/bin/ssl_client: 67ab7f3a1ba35630f439d1ca4f73c7d95f8b7aa0e6f6db6ea1743f136f074ab4
/usr/lib/engines-1.1/afalg.so: ea7c2f48bc741fd828d79a304dbf713e20e001c0187f3f534d959886af87f4af
/usr/lib/engines-1.1/capi.so: b461ed43f0f244007d872e84760a446023b69b178c970acf10ed2666198942c6
/usr/lib/engines-1.1/padlock.so: 0ccb04f040afb0216da1cea2c1db7a0b91d990ce061e232782aedbd498483649
/usr/lib/libtls-standalone.so.1.0.0: 7f4c2ff4010e30a69f588ab4f213fdf9ce61a524a0eecd3f5af31dc760e8006c
{{range .files -}}
{{- if .executable}}
{{- $path := .location.path}}
{{- range .executable.importedLibraries}}
{{- if eq . "libcrypto.so.1.1"}}
{{$path}}
{{break}}
{{- end}}
{{- end}}
{{- end}}
{{- end}}
/lib/libssl.so.1.1
/sbin/apk
/usr/lib/engines-1.1/afalg.so
/usr/lib/libtls-standalone.so.1.0.0
“can’t evaluate field” errors: The field doesn’t exist or is misspelled. Check field names with syft <image> -o json | jq.
Empty output: Verify your field paths are correct. Use syft <image> -o json to see the actual data structure.
Template syntax errors: Refer to the Go template documentation for syntax help.
If you have templates from before Syft v0.102.0 that no longer work, set format.template.legacy: true in your configuration. This uses internal Go structs instead of the JSON output schema.
Long-term support for this legacy option is not guaranteed.
Additional resources:
syft convert <sbom-file> -o <format>The ability to convert existing SBOMs means you can create SBOMs in different formats quickly, without the need to regenerate the SBOM from scratch, which may take significantly more time.
syft convert <ORIGINAL-SBOM-FILE> -o <NEW-SBOM-FORMAT>[=<NEW-SBOM-FILE>]
We support formats with wide community usage AND good encode/decode support by Syft. The supported formats are:
-o json)-o spdx-json)-o spdx-tag-value)-o cyclonedx-json)-o cyclonedx-xml)Conversion example:
syft alpine:latest -o syft-json=sbom.syft.json # generate a syft SBOM
syft convert sbom.syft.json -o cyclonedx-json=sbom.cdx.json # convert it to CycloneDX
Generate and keep Syft JSON as your primary SBOM. Convert from it to other formats as needed:
# Generate Syft JSON (native format with complete data)
syft <source> -o json=sbom.json
# Convert to other formats
syft convert sbom.json -o spdx-json=sbom.spdx.json
syft convert sbom.json -o cyclonedx-json=sbom.cdx.json
Converting between non-Syft formats loses data. Syft JSON contains all information Syft extracted, while other formats use different schemas that can’t represent the same fields.
Conversions from Syft JSON to SPDX or CycloneDX preserve all standard SBOM fields. Converted output matches directly-generated output (only timestamps and IDs differ).
Avoid chaining conversions (e.g., SPDX → CycloneDX). Each step may lose format-specific data.
Reliably preserved across conversions:
May be lost in conversions:
Convert from Syft JSON when:
Regenerate from source when:
Can I convert from SPDX to CycloneDX?
Yes, but it’s not recommended. Converting between non-Syft formats loses data with each conversion. If you have the original Syft JSON or can re-scan the source, that’s a better approach.
Why is some data missing after conversion?
Different SBOM formats have different schemas with different capabilities. SPDX and CycloneDX can’t represent all Syft metadata. Converting from Syft JSON to standard formats works best; converting between standard formats loses more data.
Is conversion faster than re-scanning?
Yes, significantly. Conversion takes milliseconds while scanning can take seconds to minutes depending on source size. This makes conversion ideal for CI/CD pipelines that need multiple formats.
Can I convert back to Syft JSON from SPDX?
Yes, but you’ll lose Syft-specific metadata that doesn’t exist in SPDX (like cataloger information, layer details, and file metadata). The result won’t match the original Syft JSON.
Which format versions are supported?
See the Output Formats guide for supported versions of each format. Syft converts to the latest version by default, but you can specify older versions (e.g., -o spdx-json@2.2).
Additional resources:
syft attest --output cyclonedx-json <image> (keyless via OIDC)syft attest --key cosign.key --output spdx-json <image>cosign ≥ v1.12.0 and registry write accesscosign verify-attestationAn attestation is cryptographic proof that you created a specific SBOM for a container image. When you publish an image, consumers need to trust that the SBOM accurately describes the image contents. Attestations solve this by letting you sign SBOMs and attach them to images, enabling consumers to verify authenticity.
Syft supports two approaches:
Before creating attestations, ensure you have:
docker login for Docker Hub)For local key attestations, you’ll also need a key pair. Generate one with:
cosign generate-key-pair
This creates cosign.key (private key) and cosign.pub (public key). Keep the private key secure.
Keyless attestation uses Sigstore to tie your OIDC identity (GitHub, Google, or Microsoft account) to the attestation. This eliminates key management overhead.
syft attest --output cyclonedx-json <IMAGE>
Replace <IMAGE> with your image reference (e.g., docker.io/myorg/myimage:latest). You must have write access to this image.
What happens:
Anyone can verify the attestation using cosign:
COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>
Successful output shows:
Example:
Certificate subject: user@example.com
Certificate issuer URL: https://accounts.google.com
This proves the attestation was created by the specified identity.
Local key attestation uses cryptographic key pairs you manage. You sign attestations with your private key, and consumers verify with your public key.
Generate the attestation and save it locally:
syft attest --output spdx-json --key cosign.key docker.io/myorg/myimage:latest > attestation.json
The output is a DSSE envelope containing an in-toto statement with your SBOM as the predicate.
Use cosign to attach the attestation:
cosign attach attestation --attestation attestation.json docker.io/myorg/myimage:latest
You need write access to the image registry for this to succeed.
Consumers verify using your public key:
cosign verify-attestation --key cosign.pub --type spdxjson docker.io/myorg/myimage:latest
Successful output shows:
Verification for docker.io/myorg/myimage:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
To extract and view the SBOM:
cosign verify-attestation --key cosign.pub --type spdxjson docker.io/myorg/myimage:latest | \
jq '.payload | @base64d | .payload | fromjson | .predicate'
Pipe the verified SBOM directly to Grype for vulnerability analysis:
cosign verify-attestation --key cosign.pub --type spdxjson docker.io/myorg/myimage:latest | \
jq '.payload | @base64d | .payload | fromjson | .predicate' | \
grype
This ensures you’re scanning a verified, trusted SBOM.
docker login <registry>cosign versionCOSIGN_EXPERIMENTAL=1 is set--type spdxjson or --type cyclonedx-json)Continue your journey:
Key pages to revisit:
Vulnerability scanning is the automated process of proactively identifying security weaknesses and known exploits within software and systems. This is crucial because it helps developers and organizations find and fix potential security holes before malicious actors can discover and exploit them, thus protecting data and maintaining system integrity.
Grype is an open-source vulnerability scanner specifically designed to analyze container images and filesystems. It works by comparing the software components it finds against a database of known vulnerabilities, providing a report of potential risks so they can be addressed.
Vulnerability scanning is the process of identifying known security vulnerabilities in software packages and dependencies.
For developers, it helps catch security issues early in development, before they reach production.
For organizations, it’s essential for maintaining security posture and meeting compliance requirements.
Grype is a CLI tool for scanning container images, filesystems, and SBOMs for known vulnerabilities.
Grype is provided as a single compiled executable and requires no external dependencies to run. Run the command for your platform to download the latest release.
curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/binbrew install grypenuget install Anchore.GrypeCheck out installation guide for full list of official and community-maintained packaging options.
Run grype against a small container image. Grype will download the latest vulnerability database
and output simple human-readable table of packages that are vulnerable:
grype alpine:latest
✔ Loaded image alpine:latest
✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9…
✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885…
├── ✔ Packages [15 packages]
├── ✔ File metadata [82 locations]
├── ✔ File digests [82 files]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [6 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 6 low, 0 negligible
└── by status: 0 fixed, 6 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
busybox 1.37.0-r12 apk CVE-2024-58251 Low
busybox 1.37.0-r12 apk CVE-2025-46394 Low
busybox-binsh 1.37.0-r12 apk CVE-2024-58251 Low
busybox-binsh 1.37.0-r12 apk CVE-2025-46394 Low
ssl_client 1.37.0-r12 apk CVE-2024-58251 Low
ssl_client 1.37.0-r12 apk CVE-2025-46394 Low
Grype can scan container images directly, but it can also scan an existing SBOM document.
alpine_latest-spdx.json using Syft, or some other tool. If not, go to SBOM Generation Getting Started and create it now.grype alpine_latest-spdx.json
The JSON-formatted output from Grype can be processed or visualized by other tools.
Create the vulnerability report using the --output flag:
grype alpine:latest --output json | jq . > vuln_report.json
While the JSON is piped to the file, you’ll see progress on stderr:
✔ Pulled image
✔ Loaded image alpine:latest
✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9869168ffced1cb25b2470a3d9fe15e
✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885b8c0815de3e423e5c5f789c398b45
├── ✔ Packages [15 packages]
├── ✔ File digests [82 files]
├── ✔ Executables [17 executables]
└── ✔ File metadata [82 locations]
✔ Scanned for vulnerabilities [6 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 6 low, 0 negligible
└── by status: 0 fixed, 6 not-fixed, 0 ignored
Does Grype need internet access?
Only for downloading container images and the vulnerability database. After the initial database download, scanning works offline until you update the database.
What about private container registries?
Grype supports authentication for private registries. See Private Registries.
Can I use Grype in CI/CD pipelines?
Absolutely! Grype is designed for automation. Scan images or SBOMs during builds and fail pipelines based on severity thresholds.
What data does Grype send externally?
Nothing. Grype runs entirely locally and doesn’t send any data to external services.
Now that you’ve scanned for vulnerabilities, here are additional resources:
grype <target>--from <type> to explicitly specify scan target typeGrype can scan a variety of scan targets including container images, directories, files, archives, SBOMs, and individual packages. In most cases, you can simply point Grype at what you want to analyze and it will automatically detect and scan it correctly.
Scan a container image from your local daemon or a remote registry:
grype alpine:latest
Scan a directory or file:
grype /path/to/project
Scan an SBOM:
grype sbom.json
To explicitly specify the scan target type, use the --from flag:
--from ARG | Description |
|---|---|
docker | Use images from the Docker daemon |
podman | Use images from the Podman daemon |
containerd | Use images from the Containerd daemon |
docker-archive | Use a tarball from disk for archives created from docker save |
oci-archive | Use a tarball from disk for OCI archives |
oci-dir | Read directly from a path on disk for OCI layout directories |
singularity | Read directly from a Singularity Image Format (SIF) container file on disk |
dir | Read directly from a path on disk (any directory) |
file | Read directly from a path on disk (any single file) |
registry | Pull image directly from a registry (bypass any container runtimes) |
sbom | Read SBOM from file (supports Syft JSON, SPDX, CycloneDX formats) |
purl | Scan individual packages via Package URL identifiers |
Instead of using the --from flag explicitly, you can instead:
provide no hint and let Grype automatically detect the scan target type implicitly based on the input provided
provide the scan target type as a URI scheme in the target argument (e.g., docker:alpine:latest, oci-archive:/path/to/image.tar, dir:/path/to/dir)
Grype supports all the same scan targets as Syft (see Syft’s supported scan targets for the complete details).
In addition to Syft’s scan targets, Grype can scan:
With each kind of scan target, there are specific behaviors and defaults to be aware of.
For scan target capabilities that are inherited from Syft, please see the SBOM scan targets documentation:
For scan targets that are uniquely supported by Grype, see the sections below.
You can scan pre-generated SBOMs instead of scanning the scan target directly. This approach offers several benefits:
Grype scans SBOM files in multiple formats. You can provide an explicit sbom: prefix or just provide the file path:
Explicit SBOM prefix:
grype sbom:sbom.json
Implicit detection:
grype sbom.json
Grype automatically detects the SBOM format. Supported formats include:
Use the explicit sbom: prefix when the file path might be ambiguous or when you want to be clear about the input type.
You can pipe SBOM output directly from Syft or other SBOM generation tools:
Syft → Grype pipeline:
syft alpine:latest -o json | grype
Read SBOM from file via stdin:
Grype detects stdin input automatically when no command-line argument is provided and stdin is piped:
cat sbom.json | grype
Grype will not attempt to read from redirected stdin in interactive terminal sessions when the use of a pipe is not detected.
Thus grype < sbom.json will not work in an interactive terminal session.
You can scan specific packages without scanning an entire image or directory. This is useful for:
Grype supports two formats for individual package scanning: Package URLs (PURLs) and Common Platform Enumerations (CPEs). When Grype receives input, it checks for PURL format first, then CPE format, before trying other scan target types.
Package URLs (PURLs) provide a standardized way to identify software packages.
A PURL has this format:
pkg:<type>/<namespace>/<name>@<version>?<qualifiers>#<subpath>
Grype can take purls from the CLI or from a file.
For instance, to scan the python library urllib3 (version 1.26.7):
grype pkg:pypi/urllib3@1.26.7
You’ll see vulnerabilities for that specific package:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
urllib3 1.26.7 1.26.17 python GHSA-v845-jxx5-vc9f High 0.9% (74th) 0.6
urllib3 1.26.7 1.26.19 python GHSA-34jh-p97f-mpxf Medium 0.1% (35th) < 0.1
urllib3 1.26.7 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium < 0.1% (15th) < 0.1
urllib3 1.26.7 2.5.0 python GHSA-pq67-6m6q-mj2v Medium < 0.1% (4th) < 0.1
For operating system packages (apk, deb, rpm), use the distro qualifier to specify the distribution:
grype "pkg:apk/alpine/openssl@3.1.5-r0?distro=alpine-3.19"
grype "pkg:deb/debian/openssl@1.1.1w-0+deb11u1?distro=debian-11"
grype "pkg:rpm/redhat/openssl@1.0.2k-19.el7?distro=rhel-7"
? and &.You can specify distribution information with the --distro flag instead:
grype "pkg:rpm/redhat/openssl@1.0.2k-19.el7?arch=x86_64" --distro rhel:7
Without either the distro qualifier or the --distro flag hint, Grype may not find distribution-specific vulnerabilities.
Other qualifiers include:
upstream: The upstream package name or version. Vulnerability information tends to be tracked with the source or origin
package instead of the installed package itself (e.g. libcrypto
might be installed but the pacakge it was built from is openssl
which is where vulnerabilities are attributed to)epoch: The epoch value for RPM packages. This is necessary when the package in question has changed the methodology for versioning
(e.g., switching from date-based versions to semantic versions) and the epoch is used to indicate that change.You can scan multiple packages from a file. The file contains one PURL per line:
# contents of packages.txt follow, which must be a text file with one PURL per line
pkg:npm/lodash@4.17.20
pkg:pypi/requests@2.25.1
pkg:maven/org.apache.commons/commons-lang3@3.12.0
grype ./packages.txt
Grype scans all the packages in the file:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY
lodash 4.17.20 4.17.21 npm GHSA-35jh-r3h4-6jhm High
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
commons-lang3 3.12.0 3.18.0 java-archive GHSA-j288-q9x7-2f5v Medium
...
Common Platform Enumeration (CPE) is an older identification format for software and hardware. You can scan using CPE format:
grype "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*"
Grype supports multiple CPE formats:
# CPE 2.2 format (WFN URI binding)
grype "cpe:/a:apache:log4j:2.14.1"
# CPE 2.3 format (string binding)
grype "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*"
Use CPE when:
For most modern scanning workflows, PURL format is preferred because it provides better precision and ecosystem-specific information.
Additional resources:
Grype automatically selects the right vulnerability data source based on the package type and distribution information in your SBOM. This guide explains how Grype chooses which vulnerability feed to use and what level of accuracy to expect.
Grype selects vulnerability feeds based on package type:
apk, deb, rpm, portage, alpm) use vulnerability data sourced from distribution-specific security feeds.When Grype scans an OS package, it uses vulnerability data sourced from distribution security feeds. Distribution maintainers curate these feeds and provide authoritative information about vulnerabilities affecting specific distribution versions.
For example, when you scan Debian 10, Grype looks for vulnerabilities affecting Debian 10 packages:
$ grype debian:10
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY
libgcrypt20 1.8.4-5+deb10u1 (won't fix) deb CVE-2021-33560 High
bash 5.0-4 deb CVE-2019-18276 Negligible
libidn2-0 2.0.5-1+deb10u1 (won't fix) deb CVE-2019-12290 High
Grype supports major Linux distributions with dedicated vulnerability feeds, including Alpine, Debian, Ubuntu, RHEL, SUSE, and many others. Some distributions have mature security tracking programs that report both fixed and unfixed vulnerabilities, providing comprehensive coverage.
Derivative distributions automatically use their parent distribution’s vulnerability feed.
Grype maps derivative distributions to their upstream source using the ID_LIKE field from /etc/os-release.
For example, Rocky Linux and AlmaLinux use the RHEL vulnerability feed, while Raspbian uses Debian’s feed.
When scanning Rocky Linux, Grype uses Red Hat security data:
$ grype rockylinux:9 -o json | jq '.matches[0].matchDetails[0].searchedBy.distro'
{
"type": "rockylinux",
"version": "9.3"
}
The distro type shows rockylinux, but Grype searches the RHEL vulnerability feed automatically.
You don’t need to configure this mapping –it happens transparently based on the distribution’s ID_LIKE field.
For a complete list of supported Linux distributions and their versions, see the OS support reference.
To learn more about data source capabilities, see the data sources reference.
Language packages use vulnerability data from GitHub Security Advisories (GHSA). GitHub maintains security advisories for major package ecosystems, sourced from package maintainers, security researchers, and automated scanning.
When you scan a JavaScript package, Grype searches GHSA for npm advisories:
$ grype node:18-alpine
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY
cross-spawn 7.0.3 7.0.5 npm GHSA-3xgq-45jj-v275 High
Grype supports these language ecosystems through GHSA:
For language packages, Grype searches GHSA by package name and version, applying ecosystem-specific version comparison rules to determine if your package version falls within the vulnerable range.
In addition to language packages, Bitnami packages are searched against Bitnami’s vulnerability feed in a similar manner.
Packages without dedicated feeds use CPE fallback matching
These package types rely on Common Platform Enumeration (CPE) matching against the National Vulnerability Database (NVD):
CPE matching constructs a CPE string from the package name and version, then searches the NVD for matching vulnerability entries.
CPE matching has important limitations:
docker (a Python library for talking to the Docker daemon) can match vulnerabilities for Docker the container runtime because they share similar CPE identifiers.You should verify CPE matches against the actual vulnerability details to confirm they apply to your specific package. Here’s a CPE match example:
{
"matchDetails": [
{
"type": "cpe-match",
"searchedBy": {
"cpes": ["cpe:2.3:a:zlib:zlib:1.2.11:*:*:*:*:*:*:*"]
},
"found": {
"versionConstraint": "<= 1.2.12 (unknown)"
}
}
]
}
Notice the version constraint shows (unknown) format rather than ecosystem-specific semantics, and the match type is cpe-match instead of exact-direct-match.
For more details on interpreting match types, confidence levels, and result reliability, see Understanding Grype results.
Additional resources:
exact-direct-match and exact-indirect-match are high confidence, cpe-match requires verification--by-cve to normalize vulnerability IDs to CVE formatjq for analysis by match type, severity, or data sourceThis guide explains how to read and interpret Grype’s vulnerability scan output. You’ll learn what different match types mean, how to assess result reliability, and how to filter results based on confidence levels.
Grype supports several output formats for scan results:
This guide focuses on table and JSON formats, which you’ll use most often for understanding scan results.
The table format is Grype’s default output. When you run grype <image>, you see a table displaying one row per
unique vulnerability match, with deduplication of identical rows.
The table displays eight standard columns, with an optional ninth column for annotations:
(won't fix) if the vendor won’t fix it, or empty if no fix is available). See Filter by fix availability to filter results based on fix statesHere’s what a typical scan looks like:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS RISK
log4j-core 2.4.0 2.12.2 java-archive CVE-2021-44228 Critical 94.4% (99th) 100.0 (kev)
log4j-core 2.4.0 2.12.2 java-archive CVE-2021-45046 Critical 94.3% (99th) 99.0 (kev)
apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical 12% (85th) 8.5
libcrypto1.1 1.1.1k-r0 apk CVE-2021-3711 Critical 9% (78th) 9.1
libcrypto1.1 1.1.1k-r0 (won't fix) apk CVE-2021-3712 High 5% (62nd) 7.2
The Annotations column appears conditionally to provide additional context:
--show-suppressed flag (see View filtered results)ubuntu:20.04) - Shown when scan results include matches from multiple different distributionsThe VULNERABILITY column displays different types of identifiers depending on the data source:
CVE-2024-1234) - Common Vulnerabilities and Exposures identifiers used by most Linux distributions (Alpine, Debian, Ubuntu, RHEL, SUSE) and the NVDGHSA-xxxx-xxxx-xxxx) - GitHub Security Advisory identifiers for language ecosystem packagesALAS-2023-1234) - Amazon Linux Security Advisory identifiersELSA-2023-12205) - Oracle Enterprise Linux Security Advisory identifiersBy default, Grype displays the vulnerability ID from the original data source. For example, an Alpine package might show CVE-2024-1234
while a GitHub Advisory for the same issue shows GHSA-abcd-1234-efgh. Use the --by-cve flag to normalize results to CVE identifiers:
grype <image> --by-cve
This flag replaces non-CVE vulnerability IDs with their related CVE ID when available, uses CVE metadata instead of the original advisory metadata, and makes it easier to correlate vulnerabilities across different data sources.
Compare the two approaches:
# Default output - shows GitHub Advisory ID
$ grype node:18
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
lodash 4.17.20 4.17.21 npm GHSA-35jh-r3h4-6jhm High
# With --by-cve - converts to CVE
$ grype node:18 --by-cve
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
lodash 4.17.20 4.17.21 npm CVE-2021-23337 High
By default, Grype sorts vulnerability results by risk score, which combines multiple factors to help you prioritize remediation efforts. Understanding how sorting works and when to use alternative methods helps you build effective security workflows.
The default risk score takes a holistic approach by combining:
This multi-factor approach aligns with security best practices recommended by the EPSS project, which emphasizes that “CVSS is a useful tool for capturing the fundamental properties of a vulnerability, but it needs to be used in combination with data-driven threat information, like EPSS.”
Risk-based sorting helps you focus on vulnerabilities that are both likely to be exploited AND have significant business impact, optimizing your remediation efficiency.
While Grype offers several sorting options via the --sort-by flag, using single metrics can lead to inefficient prioritization:
Severity-only sorting (--sort-by severity) focuses solely on potential impact:
EPSS-only sorting (--sort-by epss) focuses solely on exploitation likelihood:
The EPSS documentation explicitly states that EPSS scores should be combined with severity information to make informed prioritization decisions, which is exactly what Grype’s risk score does.
EPSS (Exploit Prediction Scoring System) is a data-driven scoring model that estimates the probability a vulnerability will be exploited in the next 30 days.
Grype displays EPSS data in the table output showing both the raw score and percentile, such as 94.4% (99th), which means:
EPSS percentiles help normalize the heavily skewed distribution of EPSS scores, making it easier to set thresholds. For example, a vulnerability in the 90th percentile is more concerning than one in the 50th percentile, even if the raw likelihood values appear to be similar.
Grype incorporates EPSS as the threat component of its risk calculation. When a vulnerability appears in the KEV catalog, Grype automatically treats it as maximum threat (overriding EPSS) since observed exploitation is more significant than predicted exploitation.
For more details on EPSS methodology and interpretation, see the EPSS model documentation.
While risk-based sorting is recommended for most remediation workflows, alternative sorting methods serve specific use cases:
Sort by KEV status (--sort-by kev):
Sort by severity (--sort-by severity):
Sort by EPSS (--sort-by epss):
Sort by package (--sort-by package):
Sort by vulnerability ID (--sort-by vulnerability):
For most security and remediation workflows, stick with the default risk-based sorting. It provides the best balance of threat intelligence and impact assessment to help you prioritize effectively.
Additional resources:
Grype’s native JSON output format provides a comprehensive representation of vulnerability scan results, including detailed information about each vulnerability, how it was matched, and the affected packages. This guide explains the structure of the JSON output and how to interpret its contents effectively.
The JSON output contains a top-level matches array. Each match has this structure:
{
"matches": [
{
"vulnerability": { ... },
"relatedVulnerabilities": [ ... ],
"matchDetails": [ ... ],
"artifact": { ... }
}
]
}
Ultimately, matches are the core results of a Grype scan. Matches are composed of:
The vulnerability object contains the primary vulnerability information:
alpine:distro:alpine:3.10, debian:distro:debian:10, github:language:javascript, nvd:cpe)fixed, not-fixed, wont-fix, unknown). See Understanding fix states for detailsA typical vulnerability object looks like:
{
"vulnerability": {
"id": "CVE-2021-36159",
"dataSource": "https://security.alpinelinux.org/vuln/CVE-2021-36159",
"namespace": "alpine:distro:alpine:3.10",
"severity": "Critical",
"urls": [],
"fix": {
"versions": ["2.10.7-r0"],
"state": "fixed"
},
"advisories": [],
"risk": 0.92
}
}
The matchDetails array contains information about how Grype found the match. Each detail object includes:
exact-direct-match, exact-indirect-match, or cpe-matchapk-matcher, github-matcher, stock-matcher)Here’s what matchDetails looks like:
{
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "apk-matcher",
"searchedBy": {
"distro": {
"type": "alpine",
"version": "3.10.9"
},
"package": {
"name": "apk-tools",
"version": "2.10.6-r0"
},
"namespace": "alpine:distro:alpine:3.10"
},
"found": {
"vulnerabilityID": "CVE-2021-36159",
"versionConstraint": "< 2.10.7-r0 (apk)"
}
}
]
}
Grype determines how it matched a package to a vulnerability based on the available data sources. The match type indicates how the match was made:
exact-direct-match means the package name matched directly in a dedicated vulnerability feed. Grype searched the feed using the package name from your scan and found a matching vulnerability entry.
exact-indirect-match means the source package name matched in a dedicated vulnerability feed.
This occurs when you scan a binary package (e.g., libcrypto1.1) but the feed tracks vulnerabilities under the source package (e.g., openssl).
Grype searches the feed using the source package name and maps the results to the binary package.
cpe-match means Grype used Common Platform Enumeration (CPE) matching as a fallback when no exact match was found in ecosystem-specific feeds. CPE matching relies on CPE identifiers derived from package metadata and is less precise.
You can loosely think of the match type as a proxy for confidence level in the match, where exact-direct-match has the highest confidence, followed by exact-indirect-match, and finally cpe-match.
A cpe-match means Grype used Common Platform Enumeration (CPE) matching as a fallback.
CPE matching occurs when:
This match type has lower confidence because:
The found.versionConstraint field shows the version range (found on the vulnerability) which the
package version was found to be within (thus, the package is affected by the vulnerability).
The format indicates the constraint type and the comparison logic used:
< 1.2.3 (apk) - Alpine package version constraint using apk version comparison< 1.2.3 (deb) - Debian package version constraint using dpkg version comparison< 1.2.3 (rpm) - RPM package version constraint using rpm version comparison< 1.2.3 (python) - Python package version constraint using PEP 440 comparison< 1.2.3 (semantic) - Semantic versioning constraint using semver comparison< 1.2.3 (unknown) - Unknown version format (lower reliability)The constraint type tells you how Grype compared versions. Ecosystem-specific formats (apk, deb, rpm) use that
ecosystem’s version comparison rules, which handle epoch numbers, release tags, and other format-specific details correctly.
Generic formats like unknown may have less precise matching.
When you use filtering flags or ignore rules, filtered vulnerabilities appear in the ignoredMatches array instead of matches.
See View filtered results to learn how to inspect filtered vulnerabilities.
Use jq to filter and analyze JSON output based on match type, severity, or data source.
Show only high-confidence exact matches:
grype <image> -o json | jq '.matches[] | select(.matchDetails[0].type == "exact-direct-match")'
Exclude CPE matches:
grype <image> -o json | jq '.matches[] | select(.matchDetails[0].type != "cpe-match")'
Show only matches from Alpine security data:
grype <image> -o json | jq '.matches[] | select(.vulnerability.namespace | startswith("alpine:"))'
Show only GitHub Security Advisories:
grype <image> -o json | jq '.matches[] | select(.vulnerability.namespace | startswith("github:"))'
Show only Critical and High severity vulnerabilities:
grype <image> -o json | jq '.matches[] | select(.vulnerability.severity == "Critical" or .vulnerability.severity == "High")'
Show Critical/High severity vulnerabilities with exact matches only:
grype <image> -o json | jq '.matches[] | select(
(.vulnerability.severity == "Critical" or .vulnerability.severity == "High") and
(.matchDetails[0].type == "exact-direct-match" or .matchDetails[0].type == "exact-indirect-match")
)'
grype <image> -o json | jq '[.matches[].matchDetails[0].type] | group_by(.) | map({type: .[0], count: length})'
Each match in JSON output contains information about how Grype found the vulnerability and links to the original sources. This lets you examine what Grype looked at and verify the match yourself.
The vulnerability object includes reference URLs from the vulnerability data:
grype <image> -o json | jq '.matches[].vulnerability | {id, dataSource, urls}'
These URLs point to the original vulnerability information that Grype used.
The matchDetails[].searchedBy field shows what Grype looked at when searching for vulnerabilities:
grype <image> -o json | jq '.matches[].matchDetails[].searchedBy'
For distro packages, this shows the distro, package name, and version. For CPE matches, this shows the CPE strings Grype constructed. This lets you see exactly what Grype queried.
The matchDetails[].found field shows what matched in the vulnerability data:
grype <image> -o json | jq '.matches[].matchDetails[] | {found, type}'
This shows the vulnerability ID and version constraint that matched, along with the match type. Comparing searchedBy and found shows how Grype connected your package to the vulnerability.
Additional resources:
--fail-on <severity> to set exit code thresholds for CI/CD pipelines--only-fixed or --only-notfixed.grype.yaml to exclude specific vulnerabilities or packages--vex to filter based on exploitability informationLearn how to control which vulnerabilities Grype reports using filtering flags and configuration options.
Use the --fail-on flag to control Grype’s exit code based on vulnerability severity. This can be helpful for integrating Grype into CI/CD pipelines.
The --fail-on flag (alias: -f) sets a severity threshold. When scanning completes, Grype exits with code 2 if it found vulnerabilities at or above the specified severity:
grype alpine:3.10 --fail-on high
You’ll see vulnerabilities at or above the threshold:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
zlib 1.2.11-r1 apk CVE-2022-37434 Critical 92.7% (99th) 87.1
libcrypto1.1 1.1.1k-r0 apk CVE-2023-0286 High 89.1% (99th) 66.4
libssl1.1 1.1.1k-r0 apk CVE-2023-0286 High 89.1% (99th) 66.4
...
[0026] ERROR discovered vulnerabilities at or above the severity threshold
# Exit code: 2
Valid severity values, from lowest to highest:
negligible < low < medium < high < critical
When you set a threshold, Grype fails if it finds vulnerabilities at that severity or higher. For example, --fail-on high fails on both high and critical vulnerabilities.
Grype provides flags to filter vulnerabilities based on whether fixes are available.
The --only-fixed flag filters scan results to show only vulnerabilities that have fixes available:
grype alpine:latest --only-fixed
This flag filters out vulnerabilities with these fix states:
not-fixed - No fix is available yetwont-fix - Maintainers won’t fix this vulnerabilityunknown - No fix state information is availableThis is useful when you want to focus on actionable vulnerabilities that you can remediate by updating packages.
--only-fixed and --only-notfixed together. These flags are mutually exclusive and filter out all vulnerabilities.The --only-notfixed flag filters scan results to show only vulnerabilities that do not have fixes available:
grype alpine:3.10 --only-notfixed
These vulnerabilities don’t have fixes available yet:
NAME INSTALLED TYPE VULNERABILITY SEVERITY EPSS RISK
zlib 1.2.11-r1 apk CVE-2022-37434 Critical 92.7% (99th) 87.1
libcrypto1.1 1.1.1k-r0 apk CVE-2023-0286 High 89.1% (99th) 66.4
libssl1.1 1.1.1k-r0 apk CVE-2023-0286 High 89.1% (99th) 66.4
libcrypto1.1 1.1.1k-r0 apk CVE-2023-2650 Medium 92.0% (99th) 52.9
libssl1.1 1.1.1k-r0 apk CVE-2023-2650 Medium 92.0% (99th) 52.9
...
This flag filters out vulnerabilities with fix state fixed. Notice the FIXED-IN column is empty for these vulnerabilities.
This is useful when you want to identify vulnerabilities that require alternative mitigation strategies, such as:
Grype assigns one of four fix states to each vulnerability based on information from vulnerability data sources:
| Fix State | Description |
|---|---|
fixed | A fix is available for this vulnerability |
not-fixed | No fix is available yet, but maintainers may release one |
wont-fix | Package maintainers have decided not to fix this vulnerability |
unknown | No fix state information is available |
Vulnerabilities with no fix state information are treated as unknown. This ensures Grype handles missing data consistently.
The --ignore-states flag gives you fine-grained control over which fix states to filter out. You can ignore one or more fix states by specifying them as a comma-separated list:
# Ignore vulnerabilities with unknown fix states
grype alpine:3.10 --ignore-states unknown
Only vulnerabilities with known fix states appear:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical 1.0% (76th) 0.9
# Ignore both wont-fix and not-fixed vulnerabilities
grype alpine:3.10 --ignore-states wont-fix,not-fixed
This leaves only fixed vulnerabilities and those with unknown states:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
zlib 1.2.11-r1 apk CVE-2022-37434 Critical 92.7% (99th) 87.1
libcrypto1.1 1.1.1k-r0 apk CVE-2023-0286 High 89.1% (99th) 66.4
libssl1.1 1.1.1k-r0 apk CVE-2023-0286 High 89.1% (99th) 66.4
apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical 1.0% (76th) 0.9
...
Valid fix state values are: fixed, not-fixed, wont-fix, unknown.
If you specify an invalid fix state, Grype returns an error:
grype alpine:latest --ignore-states invalid-state
# Error: unknown fix state invalid-state was supplied for --ignore-states
You can combine --fail-on with fix state filtering to create sophisticated CI/CD policies:
# Fail only if fixable critical or high vulnerabilities exist
grype alpine:3.10 --fail-on high --only-fixed
Grype now only fails on fixable critical/high vulnerabilities:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical 1.0% (76th) 0.9
[0026] ERROR discovered vulnerabilities at or above the severity threshold
# Exit code: 2
# Fail on medium or higher, but ignore wont-fix vulnerabilities
grype alpine:latest --fail-on medium --ignore-states wont-fix
The --fail-on check runs after vulnerability matching and filtering. Grype converts all filtering options (--only-fixed, --only-notfixed, --ignore-states, configuration ignore rules, and VEX documents) into ignore rules and applies them during matching. The severity threshold check then evaluates only the remaining vulnerabilities.
By default, Grype hides filtered vulnerabilities from output. You can view them in table output with --show-suppressed or in JSON output by inspecting the ignoredMatches field.
The --show-suppressed flag displays filtered vulnerabilities in table output with a (suppressed) label:
grype alpine:3.10 --only-fixed --show-suppressed
Filtered vulnerabilities now appear with a (suppressed) label:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical 1.0% (76th) 0.9
zlib 1.2.11-r1 apk CVE-2018-25032 High < 0.1% (26th) < 0.1 (suppressed)
libcrypto1.1 1.1.1k-r0 apk CVE-2021-3711 Critical 2.7% (85th) 2.4 (suppressed)
libssl1.1 1.1.1k-r0 apk CVE-2021-3711 Critical 2.7% (85th) 2.4 (suppressed)
libcrypto1.1 1.1.1k-r0 apk CVE-2021-3712 High 0.5% (66th) 0.4 (suppressed)
libssl1.1 1.1.1k-r0 apk CVE-2021-3712 High 0.5% (66th) 0.4 (suppressed)
...
--show-suppressed flag only applies to table output format. It has no effect on JSON, SARIF, or other output formats.When you use JSON output (-o json), Grype places filtered vulnerabilities in the ignoredMatches array. Non-filtered vulnerabilities appear in the matches array.
For details on the complete JSON structure and all fields, see Reading JSON output.
View the structure:
grype alpine:3.10 --only-fixed -o json | jq '{matches, ignoredMatches}'
The structure separates matched from ignored vulnerabilities:
{
"matches": [
{
"vulnerability": {...},
"artifact": {...},
...
}
],
"ignoredMatches": [
{
"vulnerability": {...},
"artifact": {...},
...
},
...
]
}
Inspect a specific ignored vulnerability:
grype alpine:3.10 --only-fixed -o json | jq '.ignoredMatches[0] | {vulnerability: .vulnerability.id, package: .artifact.name, reason: .appliedIgnoreRules}'
Each ignored match shows why it was filtered:
{
"vulnerability": "CVE-2018-25032",
"package": "zlib",
"reason": [
{
"namespace": "",
"fix-state": "unknown"
}
]
}
The appliedIgnoreRules field shows why each vulnerability was filtered.
You can create ignore rules in your .grype.yaml configuration file to exclude specific vulnerabilities or packages from scan results.
Create a .grype.yaml file with ignore rules:
ignore:
# Ignore specific CVEs
- vulnerability: CVE-2008-4318
- vulnerability: GHSA-1234-5678-90ab
# Ignore all vulnerabilities in a package
- package:
name: libcurl
# Ignore vulnerabilities in a specific version
- package:
name: openssl
version: 1.1.1g
# Ignore by package type
- package:
type: npm
name: lodash
# Ignore by package location (supports glob patterns)
- package:
location: "/usr/local/lib/node_modules/**"
# Ignore by fix state
- vulnerability: CVE-2020-1234
fix-state: not-fixed
# Combine multiple criteria
- vulnerability: CVE-2008-4318
fix-state: unknown
package:
name: libcurl
version: 1.5.1
Valid fix-state values are: fixed, not-fixed, wont-fix, unknown.
When you combine multiple criteria in a rule, all criteria must match for the rule to apply.
Grype supports Vulnerability Exploitability eXchange (VEX) documents to provide information about which vulnerabilities affect your software. VEX allows you to communicate vulnerability status in a machine-readable format that follows CISA minimum requirements.
Grype supports two VEX formats as input:
VEX-filtered vulnerabilities behave like other filtered results:
--show-suppressed flag and marked as (suppressed by VEX)ignoredMatches array with VEX rules listed in appliedIgnoreRulesThis guide uses OpenVEX examples for simplicity, but both formats work identically with Grype. The core concepts (status values, product identification, filtering behavior) apply to both formats.
Use the --vex flag to provide one or more VEX documents:
# Single VEX document
grype alpine:latest --vex vex-report.json
# Multiple VEX documents
grype alpine:latest --vex vex-1.json,vex-2.json
You can also specify VEX documents in your configuration file:
# .grype.yaml file
vex-documents:
- vex-report.json
- vex-findings.json
VEX documents use four standard status values:
Filtering statuses (automatically applied):
not_affected - Product is not affected by the vulnerabilityfixed - Vulnerability has been remediatedAugmenting statuses (require explicit configuration):
affected - Product is affected by the vulnerabilityunder_investigation - Impact is still being assessedBy default, Grype moves vulnerabilities with not_affected or fixed status to the ignored list.
Vulnerabilities with affected or under_investigation status are only added to results when you enable augmentation:
vex-add: ["affected", "under_investigation"]
The easiest way to create OpenVEX documents is with vexctl:
# Create a VEX statement marking a CVE as not affecting your image
vexctl create \
--product="pkg:oci/alpine@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412" \
--subcomponents="pkg:apk/alpine/busybox@1.37.0-r19" \
--vuln="CVE-2024-58251" \
--status="not_affected" \
--justification="vulnerable_code_not_present" \
--file="vex.json"
# Use the VEX document with Grype
grype alpine:3.22.2 --vex vex.json
vexctl creates OpenVEX documents only.
For CSAF VEX, you’ll need to create documents manually or use CSAF-specific tooling. Both formats work the same way with Grype.
You can also create VEX documents manually. Here’s an OpenVEX example:
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-07f09249682f6d9d2924be146078475538731fa0ee6a50ad3c9f33617e4a0be4",
"author": "Alex Goodman",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2024-58251"
},
"products": [
{
"@id": "pkg:oci/alpine@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412",
"subcomponents": [
{
"@id": "pkg:apk/alpine/busybox@1.37.0-r19"
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"timestamp": "2025-11-21T20:30:11.725672Z"
}
],
"timestamp": "2025-11-21T20:30:11Z"
}
CSAF VEX documents have a more complex structure with product trees, branches, and vulnerability arrays. See the CSAF specification for complete structure details.
OpenVEX provides standardized justification values when marking vulnerabilities as not_affected:
component_not_present - The component is not included in the productvulnerable_code_not_present - The vulnerable code is not presentvulnerable_code_not_in_execute_path - The vulnerable code cannot be executedvulnerable_code_cannot_be_controlled_by_adversary - The vulnerability cannot be exploitedinline_mitigations_already_exist - Mitigations prevent exploitationCSAF VEX uses a richer product status model with categories like known_not_affected that Grype maps to the standard VEX statuses. See the CSAF specification for details on CSAF-specific fields.
These justifications help security teams understand the rationale behind VEX statements.
Grype matches VEX statements to scan results using several identification methods:
Container images (most reliable):
"products": [
{ "@id": "pkg:oci/alpine@sha256:124c7d2707a0ee..." }
]
Image tags (less reliable, can change):
"products": [
{ "@id": "alpine:3.17" }
]
Individual packages via PURLs:
"products": [
{
"@id": "pkg:oci/alpine@sha256:124c7d...",
"subcomponents": [
{ "@id": "pkg:apk/alpine/libssl3@3.0.8-r3" }
]
}
]
Use container digests for the most reliable matching, as tags can move to different images over time.
Additional resources:
grype db check and grype db updateGrype uses a locally cached database of known vulnerabilities when searching a container, directory, or SBOM for security vulnerabilities. Anchore collates vulnerability data from common feeds, and publishes that data online, at no cost to users.
When Grype is launched, it checks for an existing vulnerability database, and looks for an updated one online. If available, Grype will automatically download the new database.
Grype will automatically fail scans if the vulnerability database is more than 5 days old.
You can disable this behavior or adjust the age threshold in your configuration:
db.validate-age: false to disable age validationdb.max-allowed-built-age to change the threshold (e.g., 168h for 7 days)To update the database manually, use the following command:
grype db update
If instead, you would like to simply check if a new DB is available without actually updating, use:
grype db check
This will return 0 if the database is up to date, and 1 if an update is available.
Or, you can delete the local database entirely:
grype db delete
The Grype vulnerability database contains detailed information about vulnerabilities and affected packages across all supported ecosystems.
While you can examine the raw SQLite database directly (use grype db status to find the local storage path),
the grype db search commands provide a much easier way to explore what’s in the database.
For both affected package and vulnerability searches, keep these tips in mind:
--limit 0 for unlimited results.--output json for programmatic processing of results.Use grype db search to find packages affected by vulnerabilities. This is useful when you want to understand
what packages are impacted by a specific CVE, or when you want to see all vulnerabilities affecting a particular package.
For example, to find all packages affected by Log4Shell across all ecosystems:
grype db search --vuln CVE-2021-44228
To find all vulnerable versions of the log4j package:
grype db search --pkg log4j
To search by PURL or CPE formats:
grype db search --pkg 'pkg:rpm/redhat/openssl'
grype db search --pkg 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*:*:*'
Any version value provided will be ignored entirely.
You can also use these options in combination to filter results further (finding the common intersection); in this example, finding packages named “openssl” in Alpine Linux 3.18 that have fixes available:
grype db search --pkg openssl --distro alpine-3.18 --fixed-state fixed
Use grype db search vuln to look up vulnerability details directly, including descriptions, severity ratings, and data sources.
This is subtly different from searching for affected packages, as it focuses on the vulnerabilities themselves, so you can find information about vulnerabilities that may not affect any packages (there are a few reasons why this could happen.)
To view full metadata for a specific CVE:
grype db search vuln CVE-2021-44228
To filter by data provider:
grype db search vuln CVE-2021-44228 --provider nvd
Now that you understand how Grype’s vulnerability database works, here are additional resources:
License scanning involves automatically identifying and analyzing the licenses associated with the various software components used in a project.
This is important because most software relies on third-party and open-source components, each with its own licensing terms that dictate how the software can be used, modified, and distributed, and failing to comply can lead to legal issues.
Grant is an open-source command-line tool designed to discover and report on the software licenses present in container images, SBOM documents, or filesystems. It helps users understand the licenses of their software dependencies and can check them against user-defined policies to ensure compliance.
Grant searches SBOMs for licenses and the packages they belong to.
Grant is provided as a single compiled executable. Issue the command for your platform to download the latest release of Grant. The full list of official and community maintained packages can be found on the installation page.
curl -sSfL <a href="https://get.anchore.io/grant">https://get.anchore.io/grant</a> | sudo sh -s – -b /usr/local/binbrew install grantgrant alpine:latest
Grant will produce a list of licenses.
* alpine:latest
* license matches for rule: default-deny-all; matched with pattern *
* Apache-2.0
* BSD-2-Clause
* GPL-2.0-only
* GPL-2.0-or-later
* MIT
* MPL-2.0
* Zlib
Now we scan a different container, that contains some software that is distributed under non-OSI-compliant licenses.
grant check pytorch/pytorch:latest --osi-approved
Read more in our License Auditing User Guide.
The Anchore OSS tools analyze container images from private registries using multiple authentication methods. When a container runtime isn’t available, the tools use the go-containerregistry library to handle authentication directly with registries.
When using a container runtime explicitly (for instance, with the --from docker flag) the tools defer to the runtime’s authentication mechanisms.
However, if the registry source is used, the tools use the Docker configuration file and any configured credential helpers to authenticate with the registry.
Many registries support personal access tokens (PATs) or registry tokens for authentication. Use docker login with your token, then the tools can use the cached credentials:
# GitHub Container Registry - create token at https://github.com/settings/tokens (needs read:packages scope)
docker login ghcr.io -u <username> -p <token>
syft ghcr.io/username/private-image:latest
# GitLab Container Registry - use deploy token or personal access token
docker login registry.gitlab.com -u <username> -p <token>
syft registry.gitlab.com/group/project/image:latest
The tools read credentials from ~/.docker/config.json, the same file Docker uses when you run docker login. This file can contain either basic authentication credentials or credential helper configurations.
Here are examples of what the config looks like if you are crafting it manually:
Basic authentication example:
{
"auths": {
"registry.example.com": {
"username": "AzureDiamond",
"password": "hunter2"
}
}
}
Token authentication example:
// token auth, where credentials are base64-encoded
{
"auths": {
"ghcr.io": {
"auth": "dXNlcm5hb...m5h=="
}
}
}
config.json is insecure. Use credential helpers where possible.By default, the tools look for credentials in ~/.docker/config.json. You can override this location using the DOCKER_CONFIG environment variable:
export DOCKER_CONFIG=/path/to/custom/config
syft registry.example.com/private/image:latest
You can also use this in a container:
docker run -v ./config.json:/auth/config.json -e "DOCKER_CONFIG=/auth" anchore/syft:latest <private_image>
Docker credential helpers are specialized programs that securely store and retrieve registry credentials. They’re particularly useful for cloud provider registries that use dynamic, short-lived tokens.
Instead of storing passwords as plaintext in config.json, you configure helpers that generate credentials on-demand. This is facilitated by the google/go-containerregistry library.
Add credential helpers to your config.json:
{
"credHelpers": {
// using the docker-credential-gcr for Google Container Registry and Artifact Registry
"gcr.io": "gcr",
"us-docker.pkg.dev": "gcloud",
// using the amazon-ecr-credential-helper for AWS Elastic Container Registry
"123456789012.dkr.ecr.us-west-2.amazonaws.com": "ecr-login",
// using the docker-credential-acr for Azure Container Registry
"myregistry.azurecr.io": "acr"
}
}
When the tools access these registries, they execute the corresponding helper program (for example, docker-credential-gcr, or more generically docker-credential-NAME where NAME is the config value) to obtain credentials.
credHelpers and auths are configured for the same registry, credHelpers takes precedence.For more information about Docker credential helpers for various cloud providers:
When running the tools in Kubernetes and you need access to private registries, mount Docker credentials as a secret.
Create a Kubernetes secret containing your Docker credentials. The key config.json is important—it becomes the filename when mounted into the pod.
For more information about the credential file format, see the go-containerregistry config docs.
# secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-config
namespace: syft
data:
config.json: <base64-encoded-config.json>
Create the secret:
# Base64 encode your config.json
cat ~/.docker/config.json | base64
# Apply the secret
kubectl apply -f secret.yaml
Configure your pod to use the credential secret. The DOCKER_CONFIG environment variable tells the tools where to look for credentials.
Setting DOCKER_CONFIG=/config means the tools look for credentials at /config/config.json.
This matches the secret key config.json we created above—when Kubernetes mounts secrets, each key becomes a file with that name.
The volumeMounts section mounts the secret to /config, and the volumes section references the secret created in the previous step.
# pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: syft-k8s-usage
spec:
containers:
- image: anchore/syft:latest
name: syft-private-registry-demo
env:
- name: DOCKER_CONFIG
value: /config
volumeMounts:
- mountPath: /config
name: registry-config
readOnly: true
args:
- <private-image>
volumes:
- name: registry-config
secret:
secretName: registry-config
Apply and check logs:
kubectl apply -f pod.yaml
kubectl logs syft-private-registry-demo
Capabilities describe the cross-cutting features available across Anchore’s tools:
These capabilities are ecosystem-specific. For example, Python’s capabilities differ from Go’s, and Ubuntu’s capabilities differ from Alpine’s.
Default capabilities do not require to be online or have special configuration (other than having a vulnerability DB downloaded). Some capabilities may be conditionally supported, requiring additional configuration or online access to function.
This page explains how to interpret the capabilities tables found on each ecosystem-specific capability pages.
There are separate overviews of supported pacakge ecosystems as well as supported Operating Systems.
Vulnerability data source qualities vary in the information they provide and how to interpret them correctly.
In terms of disclosures and fixes, each data source can be described along the following dimensions:
Independent Disclosure: Whether the advisory discloses the vulnerability regardless of fix availability. Sources with this capability report vulnerabilities even when no fix is available yet.
Disclosure Date: Whether the data source provides the date when a vulnerability was first publicly disclosed. This helps you understand the timeline of vulnerability exposure.
Fix Versions: Whether the data source specifies which package versions contain fixes for a vulnerability. This allows Grype to determine if an installed package version is vulnerable or fixed.
Fix Date: Whether the advisory includes a date when the fix was made available. This helps you understand the timeline of vulnerability remediation.
Some ecosystems have parent packages where the source code for the current package is maintained.
For example, the libcrypto for debian is part of the larger openssl package (where openssl is denoted as the origin package).
The same is true for redhat-based packages, except the parent package is denoted as the srcrpm package.
Ecosystems like this have vulnerabilities are often disclosed and fixed at the parent package level (origin and srcrpm).
More critically, the parent packages are often not installed on the system, making it impossible to directly detect vulnerabilities against them.
There tends to be package metadata on the downstream package that denotes the parent package name and version, which Syft can extract during package analysis.
We describe Syft’s ability to capture dependency information in the following dimentions:
Depth: How far into the true dependency graph we are able to discover package nodes.
direct: only captures dependencies explicitly declared by the project, but not necessarily dependencies of those dependencies
transitive: all possible depths of dependencies are captured
Edges: Whether we are able to capture relationships between packages, and if so, describe the topology of those relationships.
flat: we can capture the root package relative to all other dependencies, but are unaware of relationships between dependencies (a simple star topology, where all dependencies point to the root package)
complete: all possible relationships between packages are captured (the full dependency graph)
Kinds: The types of dependencies we are able to capture.
runtime: dependencies required for the package to function at runtime
dev: dependencies required for development
Indicates whether Syft can detect and catalog license information from package metadata. When supported, Syft extracts license declarations from package manifests, metadata files, or installed package databases.
Syft can extract various package manager metadata beyond basic package information:
Files: Whether Syft can catalog the list of files that are part of a package installation. This provides visibility into all files installed by the package manager.
Digests: Whether Syft can capture file checksums (digests/hashes) for individual files within a package. This enables integrity verification of installed files. Note: this is not necessarily the actual hash of the file, but instead the claims made by the package manager about those files. We capture actual file hashes in the files section of the SBOM.
Integrity Hash: Whether Syft can capture a single package-level integrity hash used by package managers to verify the package archive itself (for example, the https://go.dev/ref/mod#go-sum-files for go packages).
Syft and Grype support several operating systems for package cataloging and vulnerability detection. The table below shows which OS versions are supported and where Grype’s vulnerability data comes from.
| Operating System | Supported Versions | Vunnel Provider | Data Source |
|---|---|---|---|
| Alpine Linux | 3.2+, edge | alpine | Alpine SecDB |
| Amazon Linux | 2, 2022, 2023 | amazon | Amazon Linux Security Center |
| Azure Linux | 3.0 | mariner | Microsoft CBL-Mariner OVAL |
| CentOS | 5, 6, 7, 8 | rhel | Red Hat Security Data API |
| Chainguard OS | rolling | chainguard | Chainguard Security |
| Debian | 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable | debian | Debian Security Tracker |
| Echo OS | rolling | echo | ECHO Security |
| CBL-Mariner | 1.0, 2.0 | mariner | Microsoft CBL-Mariner OVAL |
| MinimOS | rolling | minimos | MINIMOS Security |
| Oracle Linux | 5, 6, 7, 8, 9, 10 | oracle | Oracle Linux Security |
| Raspberry Pi OS | 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable | debian | Debian Security Tracker |
| Red Hat Enterprise Linux | 5, 6, 7, 8, 9, 10EUS: 5.9, 6.4+, 7, 8.1, 8.2, 8.4, 8.6, 8.8, 9 | rhel | Red Hat Security Data API |
| Rocky Linux | 5, 6, 7, 8, 9, 10 | rhel | Red Hat Security Data API |
| SUSE Linux Enterprise Server | 11, 12, 15 | sles | SUSE Security OVAL |
| Ubuntu | 12.04 (precise), 12.10 (quantal), 13.04 (raring), 14.04 (trusty), 14.10 (utopic), 15.04 (vivid), 15.10 (wily), 16.04 (xenial), 16.10 (yakkety), 17.04 (zesty), 17.10 (artful), 18.04 (bionic), 18.10 (cosmic), 19.04 (disco), 19.10 (eoan), 20.04 (focal), 20.10 (groovy), 21.04 (hirsute), 21.10 (impish), 22.04 (jammy), 22.10 (kinetic), 23.04 (lunar), 23.10 (mantic), 24.04 (noble), 24.10 (oracular), 25.04 (plucky), 25.10 | ubuntu | Ubuntu CVE Tracker |
| Wolfi | rolling | wolfi | Wolfi Security |
The table below shows which ecosystems support package analysis and vulnerability scanning.
| Ecosystem | Cataloger + Evidence | Licenses | Dependencies | Files |
|---|---|---|---|---|
| Ai | gguf-cataloger *.gguf | |||
| ALPM | alpm-db-cataloger var/lib/pacman/local/**/desc | |||
| APK | apk-db-cataloger lib/apk/db/installed | |||
| Binary | binary-classifier-cataloger arangodb-binary arangosh bash-binarybash busybox-binarybusybox chrome-binarychrome consul-binaryconsul curl-binarycurl dart-binarydart elixir-binaryelixir elixir-libraryelixir/ebin/elixir.app erlang-alpine-binarybeam.smp erlang-binaryerlexec erlang-libraryliberts_internal.a ffmpeg-binaryffmpeg ffmpeg-librarylibav*, libswresample* fluent-bit-binaryfluent-bit gcc-binarygcc go-binarygo go-binary-hintVERSION* gzip-binarygzip haproxy-binaryhaproxy hashicorp-vault-binaryvault haskell-cabal-binarycabal haskell-ghc-binaryghc* haskell-stack-binarystack helmhelm httpd-binaryhttpd java-binaryjava java-jdb-binaryjdb jq-binaryjq julia-binarylibjulia-internal.so lighttpd-binarylighttpd mariadb-binary{mariadb,mysql} memcached-binarymemcached mysql-binarymysql nginx-binarynginx nodejs-binarynode openssl-binaryopenssl perl-binaryperl php-composer-binarycomposer* postgresql-binarypostgres proftpd-binaryproftpd pypy-binary-liblibpypy*.so* python-binarypython* python-binary-liblibpython*.so* redis-binaryredis-server ruby-binaryruby rust-standard-library-linuxlibstd-*.so rust-standard-library-macoslibstd-*.dylib sqlcipher-binarysqlcipher swipl-binaryswipl traefik-binarytraefik util-linux-binarygetopt wordpress-cli-binarywp xtrabackup-binaryxtrabackup xz-binaryxz zstd-binaryzstd | |||
elf-binary-package-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) | ||||
pe-binary-package-cataloger *.dll, *.exe | ||||
| Bitnami | bitnami-cataloger /opt/bitnami/**/.spdx-*.spdx | |||
| C/C++ | conan-cataloger conan.lock | |||
conan-cataloger conanfile.txt | ||||
conan-info-cataloger conaninfo.txt | ||||
| Conda | conda-meta-cataloger conda-meta/*.json | |||
| Dart | dart-pubspec-cataloger pubspec.yml, pubspec.yaml | |||
dart-pubspec-lock-cataloger pubspec.lock | ||||
| DPKG | deb-archive-cataloger *.deb | |||
dpkg-db-cataloger lib/dpkg/status, lib/dpkg/status.d/*, lib/opkg/info/*.control, lib/opkg/status | ||||
| Elixir | elixir-mix-lock-cataloger mix.lock | |||
| Erlang | erlang-otp-application-cataloger *.app | |||
erlang-rebar-lock-cataloger rebar.lock | ||||
| GitHub Actions | github-action-workflow-usage-cataloger .github/workflows/*.yaml, .github/workflows/*.yml | |||
github-actions-usage-cataloger .github/actions/*/action.yml, .github/actions/*/action.yaml | ||||
github-actions-usage-cataloger .github/workflows/*.yaml, .github/workflows/*.yml | ||||
| Go | go-module-binary-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable, application/x-executable (mimetype) | |||
go-module-file-cataloger go.mod | ||||
| Haskell | haskell-cataloger cabal.project.freeze | |||
haskell-cataloger stack.yaml.lock | ||||
haskell-cataloger stack.yaml | ||||
| Homebrew | homebrew-cataloger Cellar/*/*/.brew/*.rb, Library/Taps/*/*/Formula/*.rb | |||
| Java | graalvm-native-image-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) | |||
java-archive-cataloger *.jar, *.war, *.ear, *.par, *.sar, *.nar, *.jpi, *.hpi, *.kar, *.lpkg | ||||
java-archive-cataloger *.zip | ||||
java-archive-cataloger *.tar, *.tar.gz, *.tgz, *.tar.bz, *.tar.bz2, *.tbz, *.tbz2, *.tar.br, *.tbr, *.tar.lz4, *.tlz4, *.tar.sz, *.tsz, *.tar.xz, *.txz, *.tar.zst, *.tzst, *.tar.zstd, *.tzstd | ||||
java-gradle-lockfile-cataloger gradle.lockfile* | ||||
java-jvm-cataloger release | ||||
java-pom-cataloger *pom.xml | ||||
| JavaScript | javascript-lock-cataloger pnpm-lock.yaml | |||
javascript-lock-cataloger yarn.lock | ||||
javascript-lock-cataloger package-lock.json | ||||
javascript-package-cataloger package.json | ||||
| Linux | linux-kernel-cataloger kernel, kernel-*, vmlinux, vmlinux-*, vmlinuz, vmlinuz-*, lib/modules/**/*.ko | |||
| Lua | lua-rock-cataloger *.rockspec | |||
| .NET | dotnet-deps-binary-cataloger *.deps.json, *.dll, *.exe | |||
dotnet-deps-cataloger deprecated *.deps.json | ||||
dotnet-packages-lock-cataloger packages.lock.json | ||||
dotnet-portable-executable-cataloger deprecated *.dll, *.exe | ||||
| Nix | nix-cataloger nix/var/nix/db/db.sqlite, nix/store/*, nix/store/*.drv | |||
nix-store-cataloger deprecated nix/store/*, nix/store/*.drv | ||||
| OCaml | opam-cataloger *opam | |||
| PHP | php-composer-installed-cataloger installed.json | |||
php-composer-lock-cataloger composer.lock | ||||
php-interpreter-cataloger php*/**/*.so, php-fpm*, apache*/**/libphp*.so | ||||
php-pear-serialized-cataloger php/.registry/**/*.reg | ||||
php-pecl-serialized-cataloger deprecated php/.registry/.channel.*/*.reg | ||||
| Portage | portage-cataloger var/db/pkg/*/*/CONTENTS | |||
| Prolog | swipl-pack-cataloger pack.pl | |||
| Python | python-installed-package-cataloger *.egg-info, *dist-info/METADATA, *egg-info/PKG-INFO, *DIST-INFO/METADATA, *EGG-INFO/PKG-INFO | |||
python-package-cataloger pdm.lock | ||||
python-package-cataloger uv.lock | ||||
python-package-cataloger setup.py | ||||
python-package-cataloger Pipfile.lock | ||||
python-package-cataloger poetry.lock | ||||
python-package-cataloger *requirements*.txt | ||||
| R | r-package-cataloger DESCRIPTION | |||
| RPM | rpm-archive-cataloger *.rpm | |||
rpm-db-cataloger var/lib/rpmmanifest/container-manifest-2 | ||||
rpm-db-cataloger {var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite} | ||||
| Ruby | ruby-gemfile-cataloger Gemfile.lock | |||
ruby-gemspec-cataloger *.gemspec | ||||
ruby-installed-gemspec-cataloger specifications/**/*.gemspec | ||||
| Rust | cargo-auditable-binary-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable, application/x-executable (mimetype) | |||
rust-cargo-lock-cataloger Cargo.lock | ||||
| SBOM | sbom-cataloger *.syft.json, *.bom.*, *.bom, bom, *.sbom.*, *.sbom, sbom, *.cdx.*, *.cdx, *.spdx.*, *.spdx | |||
| Snap | snap-cataloger snap/snapcraft.yaml | |||
snap-cataloger snap/manifest.yaml | ||||
snap-cataloger doc/linux-modules-*/changelog.Debian.gz | ||||
snap-cataloger usr/share/snappy/dpkg.yaml | ||||
snap-cataloger meta/snap.yaml | ||||
| Swift | cocoapods-cataloger Podfile.lock | |||
swift-package-manager-cataloger Package.resolved, .package.resolved | ||||
| Terraform | terraform-lock-cataloger .terraform.lock.hcl | |||
| WordPress | wordpress-plugins-cataloger wp-content/plugins/*/*.php |
Legend:
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
alpm-db-cataloger var/lib/pacman/local/**/desc | Transitive | Complete | Runtime | ||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Operating System | Supported Versions | Provider | Data Source |
|---|---|---|---|
| Arch Linux | minimal support (CPE-based) | nvd | National Vulnerability Database (NVD) |
Interested in contributing vulnerability scanning support?
Feel free to add a new vunnel provider for Arch-based distributions. See the existing issue in the Vunnel repository.
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
gguf-cataloger *.gguf | |||||||
Unsupported at this time.
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
apk-db-cataloger lib/apk/db/installed | Transitive | Complete | Runtime | ||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| Alpine SecDB | |||||
| National Vulnerability Database (NVD) | |||||
| Chainguard Security | |||||
| MINIMOS Security | |||||
| Wolfi Security | |||||
The APK vulnerability matcher searches all data sources for upstream packages, including NVD.
| Operating System | Supported Versions | Provider | Data Source |
|---|---|---|---|
| Alpine Linux | 3.2+, edge | alpine | Alpine SecDB |
| Chainguard OS | rolling | chainguard | Chainguard Security |
| MinimOS | rolling | minimos | MINIMOS Security |
| Wolfi | rolling | wolfi | Wolfi Security |
The APK vulnerability database (a.k.a. “SecDB”) includes data from the Alpine Security Tracker, which provides fix information for known vulnerabilities that affect Alpine Linux packages. This database only includes vulnerabilities that have fixes available and does not track unfixed vulnerabilities. The maintainers of the SecDB intend for the primary source of truth for disclosures to be the National Vulnerability Database (NVD).
This is true of other APK vulnerability data sources as well (such as Chainguard, Wolfi, and MinimOS).
Within the .files[].executable sections of the Syft JSON there is an analysis of what features and claims were found within a binary file.
This includes:
Security features that can be detected include:
When it comes to shared library requirement claims and exported symbol claims, these are used by Syft to:
file-to-file relationships (in the case of executables/shared libraries being distributed without a package manager)file-to-package relationships (when an executable imports a shared library that is managed by a package manager)Syft can synthesize a dependency graph from the imported libraries and exported symbols found within a set of binaries, even if all package manager information has been removed, allowing for a more complete SBOM to be generated. In a mixed case, where there are some packages managed by package managers and some binaries without package manager metadata, Syft can still use the binary analysis to fill in the gaps. Package-level relationships are preferred over file-level relationships when both are available, which simplifies the dependency graph.
Syft is capable of looking at ELF formatted binaries, specifically the .note.package note, that are formatted using the convention established by the systemd project.
This spec requires a PE/COFF section that wraps a json payload describing the package metadata for the binary, however, syft does not require the PE/COFF wrapping and can extract the json payload directly from the ELF note.
Here’s an example of what the json payload looks like:
{
"name": "my-application",
"version": "1.2.3",
"purl": "pkg:deb/debian/my-application@1.2.3?arch=amd64&distro=debian-12",
"cpe": "cpe:2.3:a:vendor:my-application:1.2.3:*:*:*:*:*:*:*",
"license": "Apache-2.0",
"type": "deb"
}
Which, if stored in payload.json, can be injected into an existing ELF binary using the following command:
objcopy --add-section .note.package=payload.json --set-section-flags .note.package=noload,readonly
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
binary-classifier-cataloger (see table below) | |||||||
elf-binary-package-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) | |||||||
pe-binary-package-cataloger *.dll, *.exe | |||||||
| Class | Files | PURL | CPEs |
|---|---|---|---|
| arangodb-binary | arangosh | pkg:generic/arangodb | cpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:* |
| bash-binary | bash | pkg:generic/bash | cpe:2.3:a:gnu:bash:*:*:*:*:*:*:*:* |
| busybox-binary | busybox | pkg:generic/busybox | cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:* |
| chrome-binary | chrome | pkg:generic/chrome | cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* |
| consul-binary | consul | pkg:golang/github.com/hashicorp/consul | cpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:* |
| curl-binary | curl | pkg:generic/curl | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* |
| dart-binary | dart | pkg:generic/dart | cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:* |
| elixir-binary | elixir | pkg:generic/elixir | cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* |
| elixir-library | elixir/ebin/elixir.app | pkg:generic/elixir | cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* |
| erlang-alpine-binary | beam.smp | pkg:generic/erlang | cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* |
| erlang-binary | erlexec | pkg:generic/erlang | cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* |
| erlang-library | liberts_internal.a | pkg:generic/erlang | cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* |
| ffmpeg-binary | ffmpeg | pkg:generic/ffmpeg | cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:* |
| ffmpeg-library | libav* | pkg:generic/ffmpeg | cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:* |
| ffmpeg-library | libswresample* | pkg:generic/ffmpeg | cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:* |
| fluent-bit-binary | fluent-bit | pkg:github/fluent/fluent-bit | cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:* |
| gcc-binary | gcc | pkg:generic/gcc | cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:*:* |
| go-binary | go | pkg:generic/go | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* |
| go-binary-hint | VERSION* | pkg:generic/go | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* |
| gzip-binary | gzip | pkg:generic/gzip | cpe:2.3:a:gnu:gzip:*:*:*:*:*:*:*:* |
| haproxy-binary | haproxy | pkg:generic/haproxy | cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* |
| hashicorp-vault-binary | vault | pkg:golang/github.com/hashicorp/vault | cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:* |
| haskell-cabal-binary | cabal | pkg:generic/haskell/cabal | cpe:2.3:a:haskell:cabal:*:*:*:*:*:*:*:* |
| haskell-ghc-binary | ghc* | pkg:generic/haskell/ghc | cpe:2.3:a:haskell:ghc:*:*:*:*:*:*:*:* |
| haskell-stack-binary | stack | pkg:generic/haskell/stack | cpe:2.3:a:haskell:stack:*:*:*:*:*:*:*:* |
| helm | helm | pkg:golang/helm.sh/helm | cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:* |
| httpd-binary | httpd | pkg:generic/httpd | cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* |
| java-binary | java | pkg:generic/oracle/graalvmpkg:generic/azul/zulupkg:generic/oracle/openjdkpkg:generic/oracle/openjdkpkg:generic/ibm/javapkg:generic/oracle/jrepkg:generic/oracle/jre | cpe:2.3:a:oracle:graalvm:*:*:*:*:*:*:*:*cpe:2.3:a:azul:zulu:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:openjdk:{{.primary}}:update{{.update}}:*:*:*:*:*:*cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*cpe:2.3:a:ibm:java:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:* |
| java-jdb-binary | jdb | pkg:generic/oracle/graalvmpkg:generic/azul/zulupkg:generic/oracle/openjdkpkg:generic/ibm/java_sdkpkg:generic/oracle/openjdkpkg:generic/oracle/jdk | cpe:2.3:a:oracle:graalvm_for_jdk:*:*:*:*:*:*:*:*cpe:2.3:a:azul:zulu:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*cpe:2.3:a:ibm:java_sdk:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:* |
| jq-binary | jq | pkg:generic/jq | cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:* |
| julia-binary | libjulia-internal.so | pkg:generic/julia | cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:* |
| lighttpd-binary | lighttpd | pkg:generic/lighttpd | cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:* |
| mariadb-binary | {mariadb,mysql} | pkg:generic/mariadb | cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:* |
| memcached-binary | memcached | pkg:generic/memcached | cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:* |
| mysql-binary | mysql | pkg:generic/mysql | cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
| mysql-binary | mysql | pkg:generic/percona-server | cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:* |
| mysql-binary | mysql | pkg:generic/percona-xtradb-cluster | cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:*cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:* |
| nginx-binary | nginx | pkg:generic/nginx | cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:* |
| nodejs-binary | node | pkg:generic/node | cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* |
| openssl-binary | openssl | pkg:generic/openssl | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| perl-binary | perl | pkg:generic/perl | cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:* |
| php-composer-binary | composer* | pkg:generic/composer | cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:* |
| postgresql-binary | postgres | pkg:generic/postgresql | cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* |
| proftpd-binary | proftpd | pkg:generic/proftpd | cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:* |
| pypy-binary-lib | libpypy*.so* | pkg:generic/pypy | - |
| python-binary | python* | pkg:generic/python | cpe:2.3:a:python_software_foundation:python:*:*:*:*:*:*:*:*cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python-binary-lib | libpython*.so* | pkg:generic/python | cpe:2.3:a:python_software_foundation:python:*:*:*:*:*:*:*:*cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| redis-binary | redis-server | pkg:generic/redis | cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:* |
| ruby-binary | ruby | pkg:generic/ruby | cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* |
| rust-standard-library-linux | libstd-*.so | pkg:generic/rust | cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:* |
| rust-standard-library-macos | libstd-*.dylib | pkg:generic/rust | cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:* |
| sqlcipher-binary | sqlcipher | pkg:generic/sqlcipher | cpe:2.3:a:zetetic:sqlcipher:*:*:*:*:*:*:*:* |
| swipl-binary | swipl | pkg:generic/swipl | cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* |
| traefik-binary | traefik | pkg:generic/traefik | cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* |
| util-linux-binary | getopt | pkg:generic/util-linux | cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:* |
| wordpress-cli-binary | wp | pkg:generic/wp-cli | cpe:2.3:a:wp-cli:wp-cli:*:*:*:*:*:*:*:* |
| xtrabackup-binary | xtrabackup | pkg:generic/percona-xtrabackup | cpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:* |
| xz-binary | xz | pkg:generic/xz | cpe:2.3:a:tukaani:xz:*:*:*:*:*:*:*:* |
| zstd-binary | zstd | pkg:generic/zstd | cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:* |
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
bitnami-cataloger /opt/bitnami/**/.spdx-*.spdx | Transitive | Complete | Runtime | ||||
Since all package data is gathered from SPDX SBOMs, the quality of the package analysis is dependent on the quality of the provided SBOMs.
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| Bitnami Vulnerability Database | |||||
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
conda-meta-cataloger conda-meta/*.json | Direct | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
conan-cataloger conan.lock | Transitive | Runtime, Build | |||||
conan-cataloger conanfile.txt | Direct | Runtime | |||||
conan-info-cataloger conaninfo.txt | Direct | Flat | Runtime | ||||
We support package detection for v1 and v2 formatted conan.lock files.
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
dart-pubspec-cataloger pubspec.yml, pubspec.yaml | Direct | Runtime | |||||
dart-pubspec-lock-cataloger pubspec.lock | Transitive | Runtime, Dev | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
deb-archive-cataloger *.deb | |||||||
dpkg-db-cataloger lib/dpkg/status, lib/dpkg/status.d/*, lib/opkg/info/*.control, lib/opkg/status | Transitive | Complete | Runtime | ||||
There is additional functionality for:
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| Debian Security Tracker (DSA, DLA) | |||||
| ECHO Security | |||||
| Ubuntu CVE Tracker (USN) | |||||
| Operating System | Supported Versions | Provider | Data Source |
|---|---|---|---|
| Debian | 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable | debian | Debian Security Tracker |
| Echo OS | rolling | echo | ECHO Security |
| Raspberry Pi OS | 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable | debian | Debian Security Tracker |
| Ubuntu | 12.04 (precise), 12.10 (quantal), 13.04 (raring), 14.04 (trusty), 14.10 (utopic), 15.04 (vivid), 15.10 (wily), 16.04 (xenial), 16.10 (yakkety), 17.04 (zesty), 17.10 (artful), 18.04 (bionic), 18.10 (cosmic), 19.04 (disco), 19.10 (eoan), 20.04 (focal), 20.10 (groovy), 21.04 (hirsute), 21.10 (impish), 22.04 (jammy), 22.10 (kinetic), 23.04 (lunar), 23.10 (mantic), 24.04 (noble), 24.10 (oracular), 25.04 (plucky), 25.10 | ubuntu | Ubuntu CVE Tracker |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
dotnet-deps-binary-cataloger *.deps.json, *.dll, *.exe | Transitive | Complete | Runtime | ||||
dotnet-deps-cataloger deprecated *.deps.json | Transitive | Complete | Runtime | ||||
dotnet-packages-lock-cataloger packages.lock.json | Transitive | Complete | Runtime, Dev, Build | ||||
dotnet-portable-executable-cataloger deprecated *.dll, *.exe | |||||||
| Configuration Key | Description |
|---|---|
dotnet.dep-packages-must-claim-dll | Allows for deps.json packages to be included only if there is a runtime/resource DLL claimed in the deps.json targets section. This does not require such claimed DLLs to exist on disk. The behavior of this |
dotnet.dep-packages-must-have-dll | Allows for deps.json packages to be included only if there is a DLL on disk for that package. |
dotnet.propagate-dll-claims-to-parents | Allows for deps.json packages to be included if any child (transitive) package claims a DLL. This applies to both the claims configuration and evidence-on-disk configurations. |
dotnet.relax-dll-claims-when-bundling-detected | Will look for indications of IL bundle tooling via deps.json package names and, if found (and this config option is enabled), will relax the DepPackagesMustClaimDLL value to `false` only in those cases. |
When scanning a .NET application evidence from deps.json (compiler output) as well as any built binaries are used together to identify packages. This way we can enrich missing data from any one source and synthesize a more complete and accurate package graph.
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.dotnet.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
elixir-mix-lock-cataloger mix.lock | Transitive | Runtime, Dev | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
erlang-otp-application-cataloger *.app | Direct | Runtime, Dev | |||||
erlang-rebar-lock-cataloger rebar.lock | Direct | Runtime, Dev | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
github-action-workflow-usage-cataloger .github/workflows/*.yaml, .github/workflows/*.yml | |||||||
github-actions-usage-cataloger .github/actions/*/action.yml, .github/actions/*/action.yaml | |||||||
github-actions-usage-cataloger .github/workflows/*.yaml, .github/workflows/*.yml | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
go-module-binary-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable, application/x-executable (mimetype) | Transitive | Flat | Runtime, Dev | ||||
go-module-file-cataloger go.mod | Transitive | Flat | Runtime, Dev | ||||
| Configuration Key | Description |
|---|---|
golang.local-mod-cache-dir | Specifies the location of the local go module cache directory. When not set, syft will attempt to discover the GOPATH env or default to $HOME/go. |
golang.local-vendor-dir | Specifies the location of the local vendor directory. When not set, syft will search for a vendor directory relative to the go.mod file. |
golang.no-proxy | Is a list of glob patterns that match go module names that should not be fetched from the go proxy. When not set, syft will use the GOPRIVATE and GONOPROXY env vars. |
golang.proxy | Is a list of go module proxies to use when fetching go module metadata and licenses. When not set, syft will use the GOPROXY env or default to https://proxy.golang.org,direct. |
golang.search-local-mod-cache-licenses | Enables searching for go package licenses in the local GOPATH mod cache. |
golang.search-local-vendor-licenses | Enables searching for go package licenses in the local vendor directory relative to the go.mod file. |
golang.search-remote-licenses | Enables downloading go package licenses from the upstream go proxy (typically proxy.golang.org). |
When Syft scans a Go binary, the main module often has version (devel) because Go doesn’t embed version information by default.
Syft attempts to detect the actual version using three strategies (configurable via golang.main-module-version.*):
From ldflags (enabled by default): Looks for version strings passed during build like -ldflags="-X main.version=v1.2.3". Supports common patterns: *.version=, *.gitTag=, *.release=, etc.
From build settings (enabled by default): Uses VCS metadata (commit hash and timestamp) embedded by Go 1.18+ to generate a pseudo-version like v0.0.0-20230101120000-abcdef123456.
From contents (disabled by default): Scans binary contents for version string patterns. Can produce false positives.
Best practice: Use -ldflags when building to embed your version explicitly.
Example:
go build -ldflags="-X main.version=v1.2.3"
This ensures Syft (and Grype) can accurately identify your application version for vulnerability matching.
Syft automatically creates a stdlib package for each Go binary, representing the Go standard library version used to compile it.
The version is extracted from the binary’s build metadata (e.g., go1.22.2).
This enables Grype to check for vulnerabilities reported against the go standard library.
Why this matters: Vulnerabilities in the Go compiler (like CVEs affecting the crypto library or net/http) can affect your application even if your code doesn’t directly use those packages.
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.golang.using-cpes | Use CPE package identifiers to find vulnerabilities |
match.golang.always-use-cpe-for-stdlib | use CPE matching to find vulnerabilities for the Go standard library |
match.golang.allow-main-module-pseudo-version-comparison | allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...) |
Grype skips vulnerability matching for packages that match all these conditions:
allow-main-module-pseudo-version-comparison is false (default): version starts with v0.0.0- or is (devel)allow-main-module-pseudo-version-comparison is true: version is (devel) onlyThis filtering exists because Go doesn’t have a standard way to embed the main module’s version into compiled binaries (see golang/go#50603). Pseudo-versions in compiled binaries are often unreliable for vulnerability matching.
You can disable this filtering with the allow-main-module-pseudo-version-comparison configuration option.
Cause: The main module has a pseudo-version (v0.0.0-*) or (devel), which Grype filters by default.
Solution: Enable pseudo-version matching in your Grype configuration:
match:
golang:
allow-main-module-pseudo-version-comparison: true
Possible causes:
generate-cpes: true in .syft.yamlalways-use-cpe-for-stdlib: true in Grype config (default)go1.18.3, not v1.18.3 (file a Syft bug if incorrect)| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
haskell-cataloger cabal.project.freeze | Transitive | Runtime, Dev | |||||
haskell-cataloger stack.yaml.lock | Transitive | Runtime, Dev | |||||
haskell-cataloger stack.yaml | Direct | Runtime, Dev | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
homebrew-cataloger Cellar/*/*/.brew/*.rb, Library/Taps/*/*/Formula/*.rb | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
graalvm-native-image-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) | Transitive | Complete | Runtime, Dev | ||||
java-archive-cataloger *.jar, *.war, *.ear, *.par, *.sar, *.nar, *.jpi, *.hpi, *.kar, *.lpkg | Transitive | Complete | Runtime, Dev | ||||
java-archive-cataloger *.zip | Transitive | Complete | Runtime, Dev | ||||
java-archive-cataloger *.tar, *.tar.gz, *.tgz, *.tar.bz, *.tar.bz2, *.tbz, *.tbz2, *.tar.br, *.tbr, *.tar.lz4, *.tlz4, *.tar.sz, *.tsz, *.tar.xz, *.txz, *.tar.zst, *.tzst, *.tar.zstd, *.tzstd | Transitive | Complete | Runtime, Dev | ||||
java-gradle-lockfile-cataloger gradle.lockfile* | Transitive | Runtime, Dev | |||||
java-jvm-cataloger release | Transitive | Runtime, Dev | |||||
java-pom-cataloger *pom.xml | Direct | Complete | Runtime, Dev | ||||
| Configuration Key | Description |
|---|---|
java.maven-local-repository-dir | Specifies the location of the local maven repository. When not set, defaults to ~/.m2/repository. |
java.maven-url | Specifies the base URL(s) to use for fetching POMs and metadata from maven central or other repositories. When not set, defaults to https://repo1.maven.org/maven2. |
java.max-parent-recursive-depth | Limits how many parent POMs will be fetched recursively before stopping. This prevents infinite loops or excessively deep parent chains. |
java.resolve-transitive-dependencies | Enables resolving transitive dependencies for java packages found within archives. |
java.use-maven-local-repository | Enables searching the local maven repository (~/.m2/repository by default) for parent POMs and other metadata. |
java.use-network | Enables network operations for java package metadata enrichment, such as fetching parent POMs and license information. |
When scanning a Java archive (e.g. jar, war, ear, …), Syft will look for maven project evidence within the archive recursively.
This means that if a jar file contains other jar files, Syft will also look for pom.xml files within those nested jar files to identify packages (such as with shaded jars).
Additionally, if opted-in via configuration, Syft will scan non-java archive files (e.g., zip, tar, tar.gz, …) for Java package evidence as well.
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.java.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
javascript-lock-cataloger pnpm-lock.yaml | Transitive | Runtime | |||||
javascript-lock-cataloger yarn.lock | Transitive | Runtime, Dev | |||||
javascript-lock-cataloger package-lock.json | Transitive | Runtime | |||||
javascript-package-cataloger package.json | Direct | Runtime | |||||
| Configuration Key | Description |
|---|---|
javascript.include-dev-dependencies | Controls whether development dependencies should be included in the catalog results, in addition to production dependencies. |
javascript.npm-base-url | Specifies the base URL for the NPM registry API used when searching for remote license information. |
javascript.search-remote-licenses | Enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata. |
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.javascript.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
linux-kernel-cataloger kernel, kernel-*, vmlinux, vmlinux-*, vmlinuz, vmlinuz-*, lib/modules/**/*.ko | |||||||
| Configuration Key | Description |
|---|---|
linux-kernel.catalog-modules | Enables cataloging linux kernel modules (*.ko files) in addition to the kernel itself. |
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
lua-rock-cataloger *.rockspec | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
nix-cataloger nix/var/nix/db/db.sqlite, nix/store/*, nix/store/*.drv | Transitive | Complete | Runtime | ||||
nix-store-cataloger deprecated nix/store/*, nix/store/*.drv | Transitive | Complete | Runtime | ||||
| Configuration Key | Description |
|---|---|
nix.capture-owned-files | Determines whether to record the list of files owned by each Nix package discovered in the store. Recording owned files provides more detailed information but increases processing time and memory usage. |
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
opam-cataloger *opam | Direct | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
php-composer-installed-cataloger installed.json | Transitive | Runtime, Dev | |||||
php-composer-lock-cataloger composer.lock | Transitive | Runtime | |||||
php-interpreter-cataloger php*/**/*.so, php-fpm*, apache*/**/libphp*.so | Direct | Flat | Runtime | ||||
php-pear-serialized-cataloger php/.registry/**/*.reg | Direct | Runtime | |||||
php-pecl-serialized-cataloger deprecated php/.registry/.channel.*/*.reg | Direct | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
portage-cataloger var/db/pkg/*/*/CONTENTS | Direct | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Operating System | Supported Versions | Provider | Data Source |
|---|---|---|---|
| Gentoo Linux | minimal support (CPE-based) | nvd | National Vulnerability Database (NVD) |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
swipl-pack-cataloger pack.pl | Direct | Runtime, Dev | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
python-installed-package-cataloger *.egg-info, *dist-info/METADATA, *egg-info/PKG-INFO, *DIST-INFO/METADATA, *EGG-INFO/PKG-INFO | Direct | Complete | Runtime | ||||
python-package-cataloger pdm.lock | Transitive | Complete | Runtime, Dev, Optional | ||||
python-package-cataloger uv.lock | Transitive | Complete | Runtime, Dev, Optional | ||||
python-package-cataloger setup.py | Direct | ||||||
python-package-cataloger Pipfile.lock | Transitive | Runtime | |||||
python-package-cataloger poetry.lock | Transitive | Complete | Runtime, Dev, Optional | ||||
python-package-cataloger *requirements*.txt | Direct | Any | |||||
| Configuration Key | Description |
|---|---|
python.guess-unpinned-requirements | Attempts to infer package versions from version constraints when no explicit version is specified in requirements files. |
python.pypi-base-url | Specifies the base URL for the Pypi registry API used when searching for remote license information. |
python.search-remote-licenses | Enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata. |
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.python.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
r-package-cataloger DESCRIPTION | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
rpm-archive-cataloger *.rpm | |||||||
rpm-db-cataloger var/lib/rpmmanifest/container-manifest-2 | Transitive | Runtime | |||||
rpm-db-cataloger {var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite} | Transitive | Complete | Runtime | ||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| AlmaLinux OSV Database (ALSA) | |||||
| Amazon Linux Security Center (ALAS) | |||||
| Microsoft AzureLinux OVAL | |||||
| Red Hat Security Data API (RHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Microsoft CBL-Mariner OVAL | |||||
| Oracle Linux Security (ELSA) | |||||
| SUSE Security OVAL (SUSE-SU) | |||||
| Operating System | Supported Versions | Provider | Data Source |
|---|---|---|---|
| AlmaLinux | 8, 9, 10 | alma | AlmaLinux OSV Database |
| Amazon Linux | 2, 2022, 2023 | amazon | Amazon Linux Security Center |
| Azure Linux | 3.0 | mariner | Microsoft CBL-Mariner OVAL |
| CentOS | 5, 6, 7, 8 | rhel | Red Hat Security Data API |
| Fedora | minimal support (CPE-based) | nvd | National Vulnerability Database (NVD) |
| CBL-Mariner | 1.0, 2.0 | mariner | Microsoft CBL-Mariner OVAL |
| OpenSUSE Leap | minimal support (CPE-based) | nvd | National Vulnerability Database (NVD) |
| Oracle Linux | 5, 6, 7, 8, 9, 10 | oracle | Oracle Linux Security |
| Photon OS | minimal support (CPE-based) | nvd | National Vulnerability Database (NVD) |
| Red Hat Enterprise Linux | 5, 6, 7, 8, 9, 10EUS: 5.9, 6.4+, 7, 8.1, 8.2, 8.4, 8.6, 8.8, 9 | rhel | Red Hat Security Data API |
| Rocky Linux | 5, 6, 7, 8, 9, 10 | rhel | Red Hat Security Data API |
| SUSE Linux Enterprise Server | 11, 12, 15 | sles | SUSE Security OVAL |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
ruby-gemfile-cataloger Gemfile.lock | Transitive | Runtime, Dev | |||||
ruby-gemspec-cataloger *.gemspec | Direct | Runtime | |||||
ruby-installed-gemspec-cataloger specifications/**/*.gemspec | Transitive | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.ruby.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
cargo-auditable-binary-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable, application/x-executable (mimetype) | Transitive | Complete | Runtime | ||||
rust-cargo-lock-cataloger Cargo.lock | Transitive | Complete | Runtime, Dev, Build | ||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.rust.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
sbom-cataloger *.syft.json, *.bom.*, *.bom, bom, *.sbom.*, *.sbom, sbom, *.cdx.*, *.cdx, *.spdx.*, *.spdx | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
snap-cataloger snap/snapcraft.yaml | |||||||
snap-cataloger snap/manifest.yaml | |||||||
snap-cataloger doc/linux-modules-*/changelog.Debian.gz | |||||||
snap-cataloger usr/share/snappy/dpkg.yaml | |||||||
snap-cataloger meta/snap.yaml | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
cocoapods-cataloger Podfile.lock | Transitive | Runtime | |||||
swift-package-manager-cataloger Package.resolved, .package.resolved | Transitive | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
terraform-lock-cataloger .terraform.lock.hcl | Direct | Runtime | |||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
wordpress-plugins-cataloger wp-content/plugins/*/*.php | |||||||
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| National Vulnerability Database (NVD) | |||||
| Configuration Key | Description |
|---|---|
match.stock.using-cpes | Use CPE package identifiers to find vulnerabilities |
Welcome! We appreciate all contributions to Anchore’s open source projects. Whether you’re fixing a bug, adding a feature, or improving documentation, your help makes these tools better for everyone.
The Anchore open source community is here to help. Use Discourse for questions, discussions, and troubleshooting. Use GitHub for reporting bugs, requesting features, and submitting code contributions. See Issues vs Discussions for guidance on which channel to use.
For security vulnerabilities, email security@anchore.com - do not create public issues. See our Security Policy for details.
Understanding where to post helps you get faster, more relevant responses.
Use GitHub issues for:
Use the Anchore Discourse for:
GitHub issues track work items that require code changes. Each issue represents a potential task for the development team. Discourse provides a better format for conversations, questions, and community support without cluttering the issue tracker.
If you’re unsure which to use, start with Discourse. The community can help identify if an issue should be created.
If you discover a security vulnerability, please report it privately rather than creating a public issue. See our Security Policy for details on how to report security issues responsibly. This gives us time to fix the problem and protect users before details become public.
In order to test and develop in the Syft repo you will need the following dependencies installed:
Run once after cloning to install development tools:
make bootstrap
Make sure you’ve updated your docker settings so the default docker socket path is available.
Go to docker → settings → advanced and ensure “Allow the default Docker socket to be used” is checked.
Use the default docker context, run: docker context use default
Common commands for ongoing development:
make help - List all available commandsmake lint - Check code formatting and lintingmake lint-fix - Auto-fix formatting issuesmake unit - Run unit testsmake integration - Run integration testsmake cli - Run CLI testsmake snapshot - Build release snapshot with all binaries and packagesunit (make unit): The default level of test which is distributed throughout the repo are unit tests. Any _test.go file that
does not reside somewhere within the /test directory is a unit test. Other forms of testing should be organized in
the /test directory. These tests should focus on the correctness of functionality in depth. % test coverage metrics
only considers unit tests and no other forms of testing.
integration (make integration): located within cmd/syft/internal/test/integration, these tests focus on the behavior surfaced by the common library
entrypoints from the syft package and make light assertions about the results surfaced. Additionally, these tests
tend to make diversity assertions for enum-like objects, ensuring that as enum values are added to a definition
that integration tests will automatically fail if no test attempts to use that enum value. For more details see
the “Data diversity and freshness assertions” section below.
cli (make cli): located with in test/cli, these are tests that test the correctness of application behavior from a
snapshot build. This should be used in cases where a unit or integration test will not do or if you are looking
for in-depth testing of code in the cmd/ package (such as testing the proper behavior of application configuration,
CLI switches, and glue code before syft library calls).
acceptance (make install-test): located within test/compare and test/install, these are smoke-like tests that ensure that application
packaging and installation works as expected. For example, during release we provide RPM packages as a download
artifact. We also have an accompanying RPM acceptance test that installs the RPM from a snapshot build and ensures the
output of a syft invocation matches canned expected output. New acceptance tests should be added for each release artifact
and architecture supported (when possible).
It is important that tests against the codebase are flexible enough to begin failing when they do not cover “enough” of the objects under test. “Cover” in this case does not mean that some percentage of the code has been executed during testing, but instead that there is enough diversity of data input reflected in testing relative to the definitions available.
For instance, consider an enum-like value like so:
type Language string
const (
Java Language = "java"
JavaScript Language = "javascript"
Python Language = "python"
Ruby Language = "ruby"
Go Language = "go"
)
Say we have a test that exercises all the languages defined today:
func TestCatalogPackages(t *testing.T) {
testTable := []struct {
// ... the set of test cases that test all languages
}
for _, test := range cases {
t.Run(test.name, func (t *testing.T) {
// use inputFixturePath and assert that syft.CatalogPackages() returns the set of expected Package objects
// ...
})
}
}
Where each test case has a inputFixturePath that would result with packages from each language. This test is
brittle since it does not assert that all languages were exercised directly and future modifications (such as
adding a new language) won’t be covered by any test cases.
To address this, the enum-like object should have a definition of all objects that can be used in testing:
type Language string
// const( Java Language = ..., ... )
var AllLanguages = []Language{
Java,
JavaScript,
Python,
Ruby,
Go,
Rust,
}
Allowing testing to automatically fail when adding a new language:
func TestCatalogPackages(t *testing.T) {
testTable := []struct {
// ... the set of test cases that (hopefully) covers all languages
}
// new stuff...
observedLanguages := strset.New()
for _, test := range cases {
t.Run(test.name, func (t *testing.T) {
// use inputFixturePath and assert that syft.CatalogPackages() returns the set of expected Package objects
// ...
// new stuff...
for _, actualPkg := range actual {
observedLanguages.Add(string(actualPkg.Language))
}
})
}
// new stuff...
for _, expectedLanguage := range pkg.AllLanguages {
if !observedLanguages.Contains(expectedLanguage) {
t.Errorf("failed to test language=%q", expectedLanguage)
}
}
}
This is a better test since it will fail when someone adds a new language but fails to write a test case that should exercise that new language. This method is ideal for integration-level testing, where testing correctness in depth is not needed (that is what unit tests are for) but instead testing in breadth to ensure that units are well integrated.
A similar case can be made for data freshness; if the quality of the results will be diminished if the input data is not kept up to date then a test should be written (when possible) to assert any input data is not stale.
An example of this is the static list of licenses that is stored in internal/spdxlicense for use by the SPDX
presenters. This list is updated and published periodically by an external group and syft can grab and update this
list by running go generate ./... from the root of the repo.
An integration test has been written to grabs the latest license list version externally and compares that version with the version generated in the codebase. If they differ, the test fails, indicating to someone that there is an action needed to update it.
The format objects make a lot of use of “snapshot” testing, where you save the expected output bytes from a call into the
git repository and during testing make a comparison of the actual bytes from the subject under test with the golden
copy saved in the repo. The “golden” files are stored in the test-fixtures/snapshot directory relative to the go
package under test and should always be updated by invoking go test on the specific test file with a specific CLI
update flag provided.
Many of the Format tests make use of this approach, where the raw SBOM report is saved in the repo and the test
compares that SBOM with what is generated from the latest presenter code. The following command can be used to
update the golden files for the various snapshot tests:
make update-format-golden-files
These flags are defined at the top of the test files that have tests that use the snapshot files.
Snapshot testing is only as good as the manual verification of the golden snapshot file saved to the repo! Be careful and diligent when updating these files.
Syft uses a sophisticated test fixture caching system to speed up test execution. Test fixtures include pre-built test images, language-specific package manifests, and other test data. Rather than rebuilding fixtures on every checkout, Syft can download a pre-built cache from GitHub Container Registry.
Common fixture commands:
make fixtures - Intelligently download or rebuild fixtures as neededmake build-fixtures - Manually build all fixtures from scratchmake clean-cache - Remove all cached test fixturesmake check-docker-cache - Verify docker cache size is within limitsWhen to use each command:
make fixtures after cloning the repository. This will download the latest fixture cache.make clean-cache followed by make fixtures to ensure you have fresh fixtures.DOWNLOAD_TEST_FIXTURE_CACHE=false and run make build-fixtures to build fixtures locally without downloading.make build-fixtures to rebuild affected fixtures.The fixture system tracks input fingerprints and only rebuilds fixtures when their source files change. This makes the development cycle faster while ensuring tests always run against the correct fixture data.
Syft generates several types of code and data files that need to be kept in sync with external sources or internal structures:
What gets generated:
When to regenerate:
Run code generation after:
pkg.Package struct or related types (requires JSON schema regeneration)Generation commands:
make generate - Run all generation tasksmake generate-json-schema - Generate JSON schema from Go typesmake generate-license-list - Download and generate latest SPDX license listmake generate-cpe-dictionary-index - Generate CPE dictionary indexAfter running generation commands, review the changes carefully and commit them as part of your pull request. The CI pipeline will verify that generated files are up to date.
Catalogers must fulfill the pkg.Cataloger interface in order to add packages to the SBOM.
All catalogers are registered as tasks in Syft’s task-based cataloging system:
DefaultPackageTaskFactories() using newSimplePackageTaskFactory or newPackageTaskFactorypkgcataloging.InstalledTag - for packages positively installedpkgcataloging.DeclaredTag - for packages described in manifests (places where we intend to install software, but does not describe installed software)pkgcataloging.ImageTag - should run when scanning container imagespkgcataloging.DirectoryTag - should run when scanning directories/filesystemspkgcataloging.LanguageTag - for language-specific packagespkgcataloging.OSTag - for OS-specific packages"java", "python", "alpine", etc.pkgcataloging.ConfigThe task system orchestrates all catalogers through CreateSBOMConfig,
which manages task execution, parallelism, and configuration.
generic.NewCataloger is an abstraction syft used to make writing common components easier (see the alpine cataloger for example usage).
It takes the following information as input:
catalogerName to identify the cataloger uniquely among all other catalogers.pkg.Package as well as a slice of artifact.Relationship to describe how the returned packages are related.
See this the alpine cataloger parser function as an example.Identified packages share a common pkg.Package struct so be sure that when the new cataloger is constructing a new package it is using the Package struct.
If you want to return more information than what is available on the pkg.Package struct then you can do so in the pkg.Package.Metadata field, which accepts any type.
Metadata types tend to be unique for each pkg.Type but this is not required.
See the pkg package for examples of the different metadata types that are supported today.
When encoding to JSON, metadata type names are determined by reflection and mapped according to internal/packagemetadata/names.go.
Finally, here is an example of where the package construction is done within the alpine cataloger:
Interested in building a new cataloger?
Checkout the list of issues with the new-cataloger label!
If you have questions about implementing a cataloger, feel free to file an issue or reach out to us on discourse!
Some companies have Artifactory setup internally as a solution for sourcing secure dependencies. If you’re seeing an issue where the unit tests won’t run because of the below error then this section might be relevant for your use case.
[ERROR] [ERROR] Some problems were encountered while processing the POMs
If you’re dealing with an issue where the unit tests will not pull/build certain java fixtures check some of these settings:
settings.xml file should be available to help you communicate with your internal artifactory deploymentsyft/pkg/cataloger/java/test-fixtures/java-builds/example-jenkins-plugin/ to help build the unit test-fixturesbuild-example-jenkins-plugin.sh to use settings.xmlFor more information on this setup and troubleshooting see issue 1895
Understanding the Codebase
Contributing Your Work
Finding Work
Getting Help
In order to test and develop in the Grype repo you will need the following dependencies installed:
Run once after cloning to install development tools:
make bootstrap
Make sure you’ve updated your docker settings so the default docker socket path is available.
Go to docker → settings → advanced and ensure “Allow the default Docker socket to be used” is checked.
Use the default docker context, run: docker context use default
Common commands for ongoing development:
make help - List all available commandsmake lint - Check code formatting and lintingmake lint-fix - Auto-fix formatting issuesmake format - Auto-format source codemake unit - Run unit testsmake integration - Run integration testsmake cli - Run CLI testsmake quality - Run vulnerability matching quality testsmake snapshot - Build release snapshot with all binaries and packagesunit (make unit): The default level of test which is distributed throughout the repo are unit tests.
Any _test.go file that does not reside somewhere within the /test directory is a unit test.
Other forms of testing should be organized in the /test directory.
These tests should focus on the correctness of functionality in depth.
% test coverage metrics only considers unit tests and no other forms of testing.
integration (make integration): located within test/integration, these tests focus on the behavior surfaced by the Grype library entrypoints and make
assertions about vulnerability matching results.
The integration tests also update the vulnerability database and run with the race detector enabled to catch concurrency issues.
cli (make cli): located within test/cli, these are tests that test the correctness of application behavior from a snapshot build.
This should be used in cases where a unit or integration test will not do or if you are looking for in-depth testing of code in the cmd/ package (such as
testing the proper behavior of application configuration, CLI switches, and glue code before grype library calls).
quality (make quality): located within test/quality, these are tests that verify vulnerability matching quality by comparing Grype’s results against known-good results (quality gates).
These tests help ensure that changes to vulnerability matching logic don’t introduce regressions in match quality. The quality tests use a pinned database version to ensure consistent results.
See the quality gate architecture documentation for how the system works and the test/quality README for practical development workflows.
install (part of acceptance testing): located within test/install, these are smoke-like tests that ensure that application packaging and installation works as expected.
For example, during release we provide RPM packages as a download artifact.
We also have an accompanying RPM acceptance test that installs the RPM from a snapshot build and ensures the output of a grype invocation matches canned expected output.
Quality gates validate that code changes don’t cause performance regressions in vulnerability matching. The system compares your PR’s matching results against a baseline using a pinned database to isolate code changes from database volatility.
What quality gates validate:
Common development workflows:
make capture - Download SBOMs and generate match resultsmake validate - Analyze output and evaluate pass/failyardstick label explore [UUID] - Interactive TUI for labeling matches./gate.py --image [digest] - Test specific imagesLearn more:
Grype uses Syft as a library for all-things related to obtaining and parsing the given scan target (pulling container images, parsing container images,
indexing directories, cataloging packages, etc). Releases of Grype should always use released versions of Syft (commits that are tagged and show up in the GitHub releases page).
However, continually integrating unreleased Syft changes into Grype incrementally is encouraged (e.g. go get github.com/anchore/syft@main) as long as by the time
a release is cut the Syft version is updated to a released version (e.g. go get github.com/anchore/syft@v<semantic-version>).
The currently supported database format is Sqlite3. Install sqlite3 in your system and ensure that the sqlite3 executable is available in your path.
Ask grype about the location of the database, which will be different depending on the operating system:
$ go run ./cmd/grype db status
Location: /Users/alfredo/Library/Caches/grype/db
Built: 2020-07-31 08:18:29 +0000 UTC
Current DB Version: 1
Require DB Version: 1
Status: Valid
The database is located within the XDG_CACHE_HOME path. To verify the database filename, list that path:
# OSX-specific path
$ ls -alh /Users/alfredo/Library/Caches/grype/db
total 445392
drwxr-xr-x 4 alfredo staff 128B Jul 31 09:27 .
drwxr-xr-x 3 alfredo staff 96B Jul 31 09:27 ..
-rw------- 1 alfredo staff 139B Jul 31 09:27 metadata.json
-rw-r--r-- 1 alfredo staff 217M Jul 31 09:27 vulnerability.db
Next, open the vulnerability.db with sqlite3:
sqlite3 /Users/alfredo/Library/Caches/grype/db/vulnerability.db
To make the reporting from Sqlite3 easier to read, enable the following:
sqlite> .mode column
sqlite> .headers on
List the tables:
sqlite> .tables
id vulnerability vulnerability_metadata
In this example you retrieve a specific vulnerability from the nvd namespace:
sqlite> select * from vulnerability where (namespace="nvd" and package_name="libvncserver") limit 1;
id record_source package_name namespace version_constraint version_format cpes proxy_vulnerabilities
------------- ------------- ------------ ---------- ------------------ -------------- ----------------------------------------------------------- ---------------------
CVE-2006-2450 libvncserver nvd = 0.7.1 unknown ["cpe:2.3:a:libvncserver:libvncserver:0.7.1:*:*:*:*:*:*:*"] []
Understanding the Codebase
Architecture - Learn about package structure, core library flow, and matchers
API Reference - Explore the public Go API, type definitions, and function signatures Contributing Your Work
Pull Requests - Guidelines for submitting PRs and working with reviewers
Issues and Discussions - Where to get help and report issues
Finding Work
Getting Help
If you’ve made changes and the tests are passing, it’s time to submit a pull request (PR). This guide will help you through the process.
Before submitting your PR, make sure you have:
Each of these items helps maintainers review your contribution more effectively and merge it faster.
Your PR title is important—it becomes the changelog entry in release notes. Write titles that are meaningful to end users, not just developers.
Good titles:
Add support for Python 3.12 package detectionFix crash when parsing malformed RPM databasesUpdate documentation for custom template usagePoor titles:
Updates (too vague—updates to what?)Fixed bug (which bug?)WIP: trying some things (not ready for review)Refactor parseRPM function (implementation detail, not a user-facing change)A clear description helps reviewers understand your changes quickly. Include these key sections:
## Summary
Brief description of the change.
## Motivation
Why is this change needed? What problem does it solve?
## Changes
- Bullet point list of key changes
- Include any breaking changes or migration steps
## Type of change
<!-- Delete any that are not relevant -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
- [ ] Documentation (updates the documentation)
- [ ] Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
- [ ] Performance (make Syft run faster or use less memory, without changing visible behavior much)
## Checklist
- [ ] I have added unit tests that cover changed behavior
- [ ] I have tested my code in common scenarios and confirmed there are no regressions
- [ ] I have added comments to my code, particularly in hard-to-understand sections
Closes #123
We use squash merging for all pull requests, which means:
This approach keeps the main branch clean and linear while reducing friction for contributors. Focus on code quality rather than commit structure—reviewers care about the changes, not how you got there.
Small PRs get reviewed faster. Here’s how to make your PR easier to review:
Consider breaking work into multiple PRs if you’re making both refactoring changes and feature additions. Reviewers can process smaller, focused changes more quickly.
It’s normal and expected for reviewers to have questions and suggestions:
Remember that review feedback is about the code, not about you. Reviewers want to help make the contribution successful.
Once approved, a maintainer will merge your PR. Depending on the project, you might be asked to:
Watch out for these common pitfalls:
If you’re stuck or have questions about the PR process:
Contributing to open source can feel intimidating at first, but the community is here to support you. Don’t hesitate to ask questions.
This codebase is primarily Go, however, there are also Python scripts critical to the daily DB publishing process as well as acceptance testing. You will require the following:
zstd binary utility if you are packaging v6+ DB schemasxz binary utility if you have specifically overridden the package command optionsTo download Go tooling used for static analysis, dependent Go modules, and Python dependencies run:
make bootstrap
Common commands for ongoing development:
make help - List all available commandsmake lint - Check code formatting and lintingmake lint-fix - Auto-fix formatting issuesmake unit - Run unit tests (Go and Python)make cli - Run CLI testsmake db-acceptance schema=<version> - Run DB acceptance tests for a schema versionmake snapshot - Build release snapshot with all binaries and packagesmake download-all-provider-cache - Download pre-built vulnerability data cacheIn order to build a grype DB you will need a local cache of vulnerability data:
make download-all-provider-cache
This will populate the ./data directory locally with everything needed to run grype-db build (without needing to run grype-db pull).
This data being pulled down is the same data used in the daily DB publishing workflow, so it should be relatively fresh.
v# schema package in the grype repo (within pkg/db)v# schema package in the grype-db repo (use the bump-schema.py helper script) that uses the new changes from grype-dbmanager/src/grype_db_manager/data/schema-info.json to pin the last-latest version to a specific version of grype and add the new schema version pinned to the “main” branch of grype (or a development branch)grype to use the new schemaWhile developing a new schema version it may be useful to get a DB built for you by the Staging DB Publisher GitHub Actions workflow. This code exercises the same code as the Daily DB Publisher, with the exception that only a single schema is built and is validated against a given development branch of grype. When these DBs are published you can point grype at the proper listing file like so:
GRYPE_DB_UPDATE_URL=https://toolbox-data.anchore.io/grype/staging-databases/listing.json grype centos:8 ...
unit (make unit): Unit tests for both Go code in the main codebase and Python scripts in the manager/ directory.
These tests focus on correctness of individual functions and components. Coverage metrics track Go test coverage.
cli (make cli): CLI tests for both Go and Python components. These validate that command-line interfaces work correctly with various inputs and configurations.
db-acceptance (make db-acceptance schema=<version>): Acceptance tests that verify a specific DB schema version works correctly with Grype.
These tests build a database, run Grype scans, and validate that vulnerability matches are correct and complete.
To run unit tests for Go code and Python scripts:
make unit
To verify that a specific DB schema version interops with Grype:
make db-acceptance schema=<version>
# Note: this may take a while... go make some coffee.
Understanding the Codebase
Architecture - Learn about the ETL pipeline, schema support, and publishing workflow
Vunnel Documentation - Understand the vulnerability data provider system that feeds Grype DB Contributing Your Work
Pull Requests - Guidelines for submitting PRs and working with reviewers
Issues and Discussions - Where to get help and report issues
Related Projects
Getting Help
This project requires:
make dev “development shell”)Once you have python and uv installed, get the project bootstrapped:
# clone grype and grype-db, which is needed for provider development
git clone git@github.com:anchore/grype.git
git clone git@github.com:anchore/grype-db.git
# note: if you already have these repos cloned, you can skip this step. However, if they
# reside in a different directory than where the vunnel repo is, then you will need to
# set the `GRYPE_PATH` and/or `GRYPE_DB_PATH` environment variables for the development
# shell to function. You can add these to a local .env file in the vunnel repo root.
# clone the vunnel repo
git clone git@github.com:anchore/vunnel.git
cd vunnel
# get basic project tooling
make bootstrap
# install project dependencies
uv sync --all-extras --dev
Pre-commit is used to help enforce static analysis checks with git hooks:
uv run pre-commit install --hook-type pre-push
The easiest way to develop on a providers is to use the development shell, selecting the specific provider(s) you’d like to focus your development workflow on:
# Specify one or more providers you want to develop on.
# Any provider from the output of "vunnel list" is valid.
# Specify multiple as a space-delimited list:
# make dev providers="oracle wolfi nvd"
$ make dev provider="oracle"
Entering vunnel development shell...
• Configuring with providers: oracle ...
• Writing grype config: /Users/wagoodman/code/vunnel/.grype.yaml ...
• Writing grype-db config: /Users/wagoodman/code/vunnel/.grype-db.yaml ...
• Activating virtual env: /Users/wagoodman/code/vunnel/.venv ...
• Installing editable version of vunnel ...
• Building grype ...
• Building grype-db ...
Note: development builds grype and grype-db are now available in your path.
To update these builds run 'make build-grype' and 'make build-grype-db' respectively.
To run your provider and update the grype database run 'make update-db'.
Type 'exit' to exit the development shell.
You can now run the provider you specified in the make dev command, build an isolated grype DB, and import the DB into grype:
$ make update-db
• Updating vunnel providers ...
[0000] INFO grype-db version: ede464c2def9c085325e18ed319b36424d71180d-adhoc-build
...
[0000] INFO configured providers parallelism=1 providers=1
[0000] DEBUG └── oracle
[0000] DEBUG all providers started, waiting for graceful completion...
[0000] INFO running vulnerability provider provider=oracle
[0000] DEBUG oracle: 2023-03-07 15:44:13 [INFO] running oracle provider
[0000] DEBUG oracle: 2023-03-07 15:44:13 [INFO] downloading ELSA from https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2
[0019] DEBUG oracle: 2023-03-07 15:44:31 [INFO] wrote 6298 entries
[0019] DEBUG oracle: 2023-03-07 15:44:31 [INFO] recording workspace state
• Building grype-db ...
[0000] INFO grype-db version: ede464c2def9c085325e18ed319b36424d71180d-adhoc-build
[0000] INFO reading all provider state
[0000] INFO building DB build-directory=./build providers=[oracle] schema=5
• Packaging grype-db ...
[0000] INFO grype-db version: ede464c2def9c085325e18ed319b36424d71180d-adhoc-build
[0000] INFO packaging DB from="./build" for="https://toolbox-data.anchore.io/grype/databases"
[0000] INFO created DB archive path=build/vulnerability-db_v5_2023-03-07T20:44:13Z_405ae93d52ac4cde6606.tar.gz
• Importing DB into grype ...
Vulnerability database imported
You can now run grype that uses the newly created DB:
$ grype oraclelinux:8.4
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [195 packages]
✔ Scanning image... [193 vulnerabilities]
├── 0 critical, 25 high, 146 medium, 22 low, 0 negligible
└── 193 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bind-export-libs 32:9.11.26-4.el8_4 32:9.11.26-6.el8 rpm ELSA-2021-4384 Medium
bind-export-libs 32:9.11.26-4.el8_4 32:9.11.36-3.el8 rpm ELSA-2022-2092 Medium
bind-export-libs 32:9.11.26-4.el8_4 32:9.11.36-3.el8_6.1 rpm ELSA-2022-6778 High
bind-export-libs 32:9.11.26-4.el8_4 32:9.11.36-5.el8 rpm ELSA-2022-7790 Medium
# note that we're using the database we just built...
$ grype db status
Location: /Users/wagoodman/code/vunnel/.cache/grype/5 # <--- this is the local DB we just built
...
# also note that we're using a development build of grype
$ which grype
/Users/wagoodman/code/vunnel/bin/grype
The development builds of grype and grype-db provided are derived from ../grype and ../grype-db paths relative to the vunnel project.
If you want to use a different path, you can set the GRYPE_PATH and GRYPE_DB_PATH environment variables. This can be
persisted by adding a .env file to the root of the vunnel project:
# example .env file in the root of the vunnel repo
GRYPE_PATH=~/somewhere/else/grype
GRYPE_DB_PATH=~/also/somewhere/else/grype-db
To rebuild the grype and grype-db binaries from local source, run:
make build-grype
make build-grype-db
This project uses Make for running common development tasks:
make # run static analysis and unit testing
make static-analysis # run static analysis
make unit # run unit tests
make format # format the codebase with black
make lint-fix # attempt to automatically fix linting errors
...
If you want to see all of the things you can do:
make help
If you want to use a locally-editable copy of vunnel while you develop without the custom development shell:
uv pip uninstall vunnel #... if you already have vunnel installed in this virtual env
uv pip install -e .
In order to ensure that the same feed state from providers would make the same set of vulnerabilities, snapshot testing is used.
Snapshot tests are run as part of ordinary unit tests, and will run during
make unit.
To update snapshots, run the following pytest command. (Note that this example is for the debian provider, and the test name and path will be different for other providers):
pytest ./tests/unit/providers/debian/test_debian.py -k test_provider_via_snapshot --snapshot-update
For detailed information about Vunnel’s architecture, including:
See the Vunnel Architecture page.
“Vulnerability matching” is the process of taking a list of vulnerabilities and matching them against a list of packages. A provider in this repo is responsible for the “vulnerability” side of this process. The “package” side is handled by Syft. A prerequisite for adding a new provider is that Syft can catalog the package types that the provider is feeding vulnerability data for, so Grype can perform the matching from these two sources.
To add a new provider, you will need to create a new provider class under /src/vunnel/providers/<name> that inherits from provider.Provider and implements:
name(): a unique and semantically-useful name for the provider (same as the name of the directory)update(): downloads and processes the raw data, writing all results with self.results_writer()All results must conform to a particular schema, today there are a few kinds:
os: a generic operating system vulnerability (e.g redhat, debian, ubuntu, alpine, wolfi, etc.)nvd: tailored to describe vulnerabilities from the NVDgithub-security-advisory: tailored to describe vulnerabilities from GitHubosv: tailored to describe vulnerabilities from the aggregated OSV vulnerability databaseOnce the provider is implemented, you will need to wire it up into the application in a couple places:
src/vunnel/providers/__init__.py mapping your provider name to the classsrc/vunnel/cli/config.py (specifically the Providers dataclass)For a more detailed example on the implementation details of a provider see the “example” provider.
Validating this provider has different implications depending on what is being added. For example, if the provider is adding a new vulnerability source but is ultimately using an existing schema to express results then there may be very little to do! If you are adding a new schema, then the downstream data pipeline will need to be altered to support reading data in the new schema.
Need help with your provider?
Feel free to reach out to a maintainer on an incomplete draft PR and we can help you get it over the finish line!
Take a look at the example provider in the example directory. You are encouraged to copy example/awesome/* into
src/vunnel/providers/YOURPROVIDERNAME/ and modify it to fit the needs of your new provider, however, this is not required:
# from the root of the vunnel repo
cp -a example/awesome src/vunnel/providers/YOURPROVIDERNAME
See the “example” provider README as well as the code comments for steps and considerations to take when implementing a new provider.
Once implemented, you should be able to see the new provider in the vunnel list command and run it with vunnel run <name>.
The entries written should write out to a specific namespace in the DB downstream, as indicated in the record.
This namespace is needed when making Grype changes.
While developing the provider consider using the make dev provider="<your-provider-name>"developer shell to run the provider and manually test the results against grype.
At this point you can optionally open a Vunnel PR with your new provider and a Maintainer can help with the next steps. Or if you’d like to get PR changes merged faster you can continue with the next steps.
This step might not be needed depending on the provider.
Common reasons for needing Grype changes include:
rhel). See the grype db schema namespace index for possible changes: https://github.com/anchore/grype/blob/main/grype/db/v5/namespace/index.go .If you’re using the developer shell (make dev ...) then you can run make build-grype to get a build of grype with your changes.
tests/quality/config.yaml for the new provider.
The configuration maps a provider to test to specific images to test with, for example:
---
- provider: amazon
images:
- docker.io/amazonlinux:2@sha256:1301cc9f889f21dc45733df9e58034ac1c318202b4b0f0a08d88b3fdc03004de
- docker.io/anchore/test_images:vulnerabilities-amazonlinux-2-5c26ce9@sha256:cf742eca189b02902a0a7926ac3fbb423e799937bf4358b0d2acc6cc36ab82aa
These images are used to test the provider on PRs and nightly builds to verify the specific provider is working. Always use both the image tag and digest for all container image entries. Pick an image that has a good representation of the package types that your new provider is adding vulnerability data for.
tests/quality/config.yaml.
If you wanted to see PR quality gate checks pass with your specific Grype changes (if you have any) then you can update the
yardstick.tools[*] entries for grype to use the a version that points to your fork (w.g. your-fork-username/grype@main).
If you don’t have any grype changes needed then you can skip this step.
In order to evaluate the quality of the new provider, we need to know what the expected results are. This is done by annotating Grype results with “True Positive” labels (good results) and “False Positive” labels (bad results). We’ll use Yardstick to do this:
$ cd tests/quality
# capture results with the development version of grype (from your fork)
$ make capture provider=<your-provider-name>
# list your results
$ uv run yardstick result list | grep grype
d415064e-2bf3-4a1d-bda6-9c3957f2f71a docker.io/anc... grype@v0.58.0 2023-03...
75d1fe75-0890-4d89-a497-b1050826d9f6 docker.io/anc... grype[custom-db]@bdcefd2 2023-03...
# use the "grype[custom-db]" result UUID and explore the results and add labels to each entry
$ uv run yardstick label explore 75d1fe75-0890-4d89-a497-b1050826d9f6
# You can use the yardstick TUI to label results:
# - use "T" to label a row as a True Positive
# - use "F" to label a row as a False Positive
# - Ctrl-Z to undo a label
# - Ctrl-S to save your labels
# - Ctrl-C to quit when you are done
Later we’ll open a PR in the vulnerability-match-labels repo to persist these labels. For the meantime we can iterate locally with the labels we’ve added.
cd tests/quality
# runs your specific provider to gather vulnerability data, builds a DB, and runs grype with the new DB
make capture provider=<your-provider-name>
# evaluate the quality gate
make validate
This uses the latest Grype DB release to build a DB and the specified Grype version with a DB containing only data from the new provider.
You are looking for a passing run before continuing further.
Vunnel uses the labels in the vulnerability-Match-Labels repo via a git submodule. We’ve already added labels locally within this submodule in an earlier step. To persist these labels we need to push them to a fork and open a PR:
# fork the github.com/anchore/vulnerability-match-labels repo, but you do not need to clone it...
# from the Vunnel repo...
$ cd tests/quality/vulnerability-match-labels
$ git remote add fork git@github.com:your-fork-name/vulnerability-match-labels.git
$ git checkout -b 'add-labels-for-<your-provider-name>'
$ git status
# you should see changes from the labels/ directory for your provider that you added
$ git add .
$ git commit -m 'add labels for <your-provider-name>'
$ git push fork add-labels-for-<your-provider-name>
At this point you can open a PR against in the vulnerability-match-labels repo.
Note: you will not be able to open a Vunnel PR that passes PR checks until the labels are merged into the vulnerability-match-labels repo.
Once the PR is merged in the vulnerability-match-labels repo you can update the submodule in Vunnel to point to the latest commit in the vulnerability-match-labels repo.
cd tests/quality
git submodule update --remote vulnerability-match-labels
The PR will also run all of the same quality gate checks that you ran locally.
If you have Grype changes, you should also create a PR for that as well. The Vunnel PR will not pass PR checks until the Grype PR is merged and the test/quality/config.yaml file is updated to point back to the latest Grype version.
This is the same process as listed above with a few additional steps:
schemas directory.pkg/provider/unmarshal and pkg/process/v* directories.tests/quality/config.yaml file will need to be updated to use development grype-db.version, pointing to your fork.tests/quality/config.yaml file is updated to point back to the latest Grype DB version.Looking to help out with improving the code quality of Vunnel, but not sure where to start?
The best way is to look for issues with the refactor label.
More general ways would be to use radon to search for complexity and maintainability issues:
$ radon cc src --total-average -nb
src/vunnel/provider.py
M 115:4 Provider._on_error - B
src/vunnel/providers/alpine/parser.py
M 73:4 Parser._download - C
M 178:4 Parser._normalize - C
M 141:4 Parser._load - B
C 44:0 Parser - B
src/vunnel/providers/amazon/parser.py
M 66:4 Parser._parse_rss - C
C 164:0 JsonifierMixin - C
M 165:4 JsonifierMixin.json - C
C 32:0 Parser - B
M 239:4 PackagesHTMLParser.handle_data - B
...
The output of radon indicates the type (M=method, C=class, F=function), the path/name, and a A-F grade. Anything that’s not an A is worth taking a look at.
Another approach is to use wily:
$ wily build
...
$ wily rank
-----------Rank for Maintainability Index for bdb4983 by Alex Goodman on 2022-12-25.------------
╒═════════════════════════════════════════════════╤═════════════════════════╕
│ File │ Maintainability Index │
╞═════════════════════════════════════════════════╪═════════════════════════╡
│ src/vunnel/providers/rhel/parser.py │ 21.591 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ src/vunnel/providers/ubuntu/parser.py │ 21.6144 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ tests/unit/providers/github/test_github.py │ 35.3599 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ tests/unit/utils/test_oval_v2.py │ 36.3388 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ src/vunnel/providers/debian/parser.py │ 37.3723 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ tests/unit/utils/test_fdb.py │ 38.6926 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ tests/unit/providers/sles/test_sles.py │ 41.6602 │
├─────────────────────────────────────────────────┼─────────────────────────┤
│ tests/unit/providers/ubuntu/test_ubuntu.py │ 43.1323 │
├─────────────────────────────────────────────────┼─────────────────────────┤
...
Ideally we should try to get wily diff output into the CI pipeline and post on a sticky PR comment to show regressions (and potentially fail the CI run).
This codebase has been ported from another repo that did not have any type hints. This is OK, though ideally over time this should be corrected as new features are added and bug fixes made.
We use mypy today for static type checking, however, the ported code has been explicitly ignored (see pyproject.toml).
If you want to make enhancements in this area consider using automated tooling such as pytype to generate types via inference into .pyi files and later merge them into the codebase with merge-pyi.
Alternatively a tool like MonkeyType can be used generate static types from runtime data and incorporate into the code.
Understanding the Codebase
Vunnel Architecture - Learn about provider abstraction, workspace conventions, and vulnerability schemas
Example Provider - Detailed walkthrough of creating a new provider Contributing Your Work
Pull Requests - Guidelines for submitting PRs and working with reviewers
Issues and Discussions - Where to get help and report issues
Finding Work
Getting Help
In order to test and develop in the Grant repo you will need the following dependencies installed:
Run once after cloning to install development tools:
make bootstrap
Make sure you’ve updated your docker settings so the default docker socket path is available.
Go to docker → settings → advanced and ensure “Allow the default Docker socket to be used” is checked.
Use the default docker context, run: docker context use default
Common commands for ongoing development:
make help - List all available commandsmake lint - Check code formatting and lintingmake lint-fix - Auto-fix formatting issuesmake unit - Run unit testsmake test - Run all testsmake snapshot - Build release snapshot with all binaries and packages (also available as make build)make generate - Generate SPDX license index and license patternsunit (make unit): The default level of test which is distributed throughout the repo are unit tests.
Any _test.go file that does not reside somewhere within the /tests directory is a unit test.
These tests focus on the correctness of functionality in depth. % test coverage metrics only consider unit tests and no other forms of testing.
integration (make test): located in tests/integration_test.go, these tests focus on policy loading, license evaluation, and core library behavior.
They test the interaction between different components like policy parsing, license matching with glob patterns, and package evaluation logic.
cli (part of make test): located in tests/cli/, these are tests that test the correctness of application behavior from a snapshot build.
These tests execute the actual Grant binary and verify command output, exit codes, and behavior of commands like check, list, and version.
Taskfile.yaml)You can run the linter for the project by running:
make lint
This checks code formatting with gofmt and runs golangci-lint checks.
To automatically fix linting issues:
make lint-fix
Grant generates code and data files that need to be kept in sync with external sources:
What gets generated:
When to regenerate:
Run code generation after:
Generation commands:
make generate - Run all generation tasksmake generate-spdx-licenses - Download and generate latest SPDX license listmake generate-license-patterns - Generate license file patterns (depends on SPDX license index)After running generation commands, review the changes carefully and commit them as part of your pull request.
Grant is organized into two main areas: the public library API and the CLI application. For detailed API documentation, see the Grant Go package reference.
grant/ - Public Library API
The top-level grant/ package is the public library that other projects can import and use. This is what you’d reference with import "github.com/anchore/grant/grant".
This package contains the core functionality:
Most contributions to core Grant functionality belong in this package.
cmd/grant/ - CLI Application
The CLI application is built on top of the grant/ library and contains application-specific code:
cmd/grant/
├── cli/ # Command wiring and application setup
│ ├── command/ # CLI command implementations (list, check, etc.)
│ ├── internal/ # Internal command implementations
│ ├── option/ # Command flags and configuration options
│ └── tui/ # Terminal UI and event handlers
└── main.go # Application entrypoint
Contributions to CLI features, command behavior, or user interface improvements belong in this package.
Understanding the Codebase
Contributing Your Work
Finding Work
Getting Help
All commits require a simple sign-off line to confirm you have the right to contribute your code. This is a standard practice in open source called the Developer Certificate of Origin (DCO).
The easiest way is to use the -s or --signoff flag when committing:
git commit -s -m "your commit message"
This automatically adds a sign-off line to your commit message:
Signed-off-by: Your Name <your.email@example.com>
Tip: You can configure Git to always sign off commits automatically:
git config --global format.signoff true
To check that your commit includes the sign-off, look at the log output:
git log -1
You should see the Signed-off-by: line at the end of your commit message:
commit 37ceh170e4hb283bb73d958f2036ee5k07e7fde7
Author: Your Name <your.email@example.com>
Date: Mon Aug 1 11:27:13 2020 -0400
your commit message
Signed-off-by: Your Name <your.email@example.com>
In plain English: By adding a sign-off line, you’re confirming that:
This protects both you and the project. It’s a simple legal formality that takes just a few seconds to add to each commit.
All contributions to this project are licensed under the Apache License Version 2.0.
If you’ve already committed without a sign-off (easy to do!), you can add it retroactively.
git commit --amend --signoff
This updates your last commit to include the sign-off line.
If you need to add sign-off to commits further back in your history:
git rebase --signoff HEAD~N
Replace N with the number of commits you need to sign. For example, HEAD~3 signs off the last 3 commits.
Note: If you’ve already pushed these commits, you’ll need to force-push after rebasing:
git push --force-with-lease
Rebasing rewrites commit history, which can be tricky if you’re not familiar with it. If you run into issues:
The Developer Certificate of Origin (DCO) is a legal attestation that you have the right to submit your contribution under the project’s license. Here’s the full text:
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
The DCO protects both contributors and the project by creating a clear record of contribution rights and licensing terms.
In order to test and develop in the sbom-action repo you will need the following dependencies installed:
Run once after cloning to install dependencies and development tools:
npm install
This command installs all dependencies and sets up Husky git hooks that automatically format code and rebuild the distribution files before commits.
Common commands for ongoing development:
npm run build - Check TypeScript compilation (no output files)npm run lint - Check code with ESLintnpm run format - Auto-format code with Prettiernpm run format-check - Check code formatting without changesnpm run package - Build distribution files with ncc (outputs to dist/)npm test - Run Jest testsnpm run all - Complete validation suite (build + format + lint + package + test)The sbom-action uses Jest for testing. To run the test suite:
npm test
The CI workflow handles any additional setup automatically (like Docker registries). For local development, you just need to install dependencies and run tests.
The test suite includes two main categories:
Unit tests (e.g., tests/GithubClient.test.ts, tests/SyftGithubAction.test.ts): Test individual components in isolation by mocking GitHub Actions context and external dependencies.
Integration tests (tests/integration/): Execute the full action workflow with real Syft invocations against test fixtures in tests/fixtures/ (npm-project, yarn-project). These tests use snapshot testing to validate SBOM output and GitHub dependency snapshot uploads.
Integration tests extensively use Jest’s snapshot testing to validate SBOM output. When you run integration tests, Jest compares the generated SBOMs against saved snapshots in tests/integration/__snapshots__/.
The tests normalize dynamic values (timestamps, hashes, IDs) before comparison to ensure consistent snapshots across runs.
Updating snapshots:
When you intentionally change SBOM output format or content, update the snapshots:
npm run test:update-snapshots
The sbom-action uses Husky to run automated checks before each commit:
npm run package to rebuild dist/ directorydist/ filesThe hook is defined in .husky/pre-commit and runs the precommit npm script.
Why commit dist/?
GitHub Actions can’t install dependencies or compile code at runtime. The action must include pre-built JavaScript files in the dist/ directory. The ncc compiler bundles all TypeScript source and dependencies into standalone JavaScript files.
The sbom-action consists of three GitHub Actions, each with its own entry point:
Main action (action.yml):
src/runSyftAction.tsdist/runSyftAction/index.jsPublish SBOM sub-action (publish-sbom/action.yml):
src/attachReleaseAssets.tsdist/attachReleaseAssets/index.jsDownload Syft sub-action (download-syft/action.yml):
src/downloadSyft.tsdist/downloadSyft/index.jsKey modules:
src/Syft.ts - Wraps Syft execution and configurationsrc/SyftVersion.ts - Manages Syft version resolutionsrc/github/SyftDownloader.ts - Handles Syft binary downloadssrc/github/SyftGithubAction.ts - Core action orchestration logicsrc/github/GithubClient.ts - GitHub API interactionssrc/github/Executor.ts - Command execution wrapperEnable detailed debug logging by setting a repository secret:
ACTIONS_STEP_DEBUG = trueThis enables debug logging from the @actions/toolkit libraries used throughout the action.
See the GitHub documentation for more details.
CI validation:
The repository includes comprehensive CI workflows in .github/workflows/test.yml that:
Manual testing:
Test changes in your own workflows using the repository name and branch:
- uses: your-username/sbom-action@your-branch
with:
path: ./
Or test locally using act if you have it installed.
The sbom-action uses the Node.js 20 runtime (runs.using: node20 in action.yml). This runtime is provided by GitHub Actions and doesn’t require separate installation in workflows.
Understanding the Codebase
Contributing Your Work
Finding Work
Getting Help
Security is a top priority for Anchore’s open source projects. We appreciate the security research community’s efforts in responsibly disclosing vulnerabilities to help keep our users safe.
Security updates are applied only to the most recent release of each project. We strongly recommend staying up to date with the latest versions to ensure you have the most recent security patches and fixes.
If you’re using an older version and concerned about a security issue, please upgrade to the latest release. For questions about specific versions, reach out on Discourse.
Found a security vulnerability? Please report security issues privately by emailing security@anchore.com rather than creating a public GitHub issue. This gives us time to fix the problem and protect users before details become public.
To help us understand and address the issue quickly, please include as much detail as you can:
Don’t worry if you can’t provide every detail –partial reports are still valuable and welcome. We’ll work with you to understand the issue.
After you submit a report:
Anchore follows a coordinated disclosure process:
Thank you for helping keep Anchore’s open source projects and their users secure.
All Anchore open source projects follow the Contributor Covenant Code of Conduct.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
Examples of behavior that contributes to a positive environment for our community include:
Examples of unacceptable behavior include:
Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official email address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at opensource@anchore.com.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
Community Impact: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
Consequence: The original post will be edited or removed and a warning issued to the offender.
Community Impact: A serious violation of community standards, including sustained inappropriate behavior.
Consequence: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
Community Impact: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
Consequence: A permanent ban from any sort of public interaction within the community.
This Code of Conduct is adapted from the Contributor Covenant, version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by Mozilla’s code of conduct enforcement ladder.
For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.
In order to test and develop in the scan-action repo you will need the following dependencies installed:
Run once after cloning to install dependencies and development tools:
npm install
This command installs all dependencies and sets up Husky git hooks that automatically format code and rebuild the distribution files before commits.
Common commands for ongoing development:
npm run build - Bundle with ncc and normalize line endingsnpm run lint - Check code with ESLintnpm run prettier - Auto-format code with Prettiernpm test - Complete test suite (lint + install Grype + build + run tests)npm run run-tests - Run Jest tests onlynpm run test:update-snapshots - Update test expectations (lint + install Grype + run tests with snapshot updates)npm run audit - Run security audit on production dependenciesnpm run update-deps - Update dependencies with npm-check-updatesTests require Grype to be installed locally and a Docker registry for integration tests. Set up your test environment:
Install Grype locally:
npm run install-and-update-grype
Start local Docker registry:
docker run -d -p 5000:5000 --name registry registry:2
Tests automatically disable Grype database auto-update and validation to ensure consistent test results.
CI environment:
The GitHub Actions test workflow automatically:
The scan-action uses Jest for testing with several categories:
Unit tests (e.g., tests/action.test.js, tests/grype_command.test.js): Test individual functions in isolation by mocking GitHub Actions context and external dependencies.
Integration tests: Execute the full action workflow with real Grype invocations. These tests validate end-to-end functionality including downloading Grype, running scans, and generating output files.
SARIF validation tests (tests/sarif_output.test.js): Validate SARIF report structure and content using the @microsoft/jest-sarif library to ensure consistent output format and compliance with the SARIF specification.
Distribution tests (tests/dist.test.js): Verify that the committed dist/ directory is up-to-date with the source code.
Test fixtures:
The tests/fixtures/ directory contains sample projects and files for testing:
npm-project/ - Sample npm project for directory scanningyarn-project/ - Sample yarn project for directory scanningtest_sbom.spdx.json - Sample SBOM file for SBOM scanning testsThe SARIF output tests validate report structure using the @microsoft/jest-sarif library. Tests normalize dynamic values (versions, fully qualified names) before validation to ensure consistent results across test runs.
The tests validate that:
If you need to update test expectations, run:
npm run test:update-snapshots
The scan-action uses Husky to run automated checks before each commit:
npm run precommit to rebuild dist/ directorydist/ filesThe hook is defined in .husky/pre-commit and ensures that distribution files are always synchronized with source code.
Why commit dist/?
GitHub Actions can’t install dependencies or compile code at runtime. The action must include pre-built JavaScript files in the dist/ directory. The ncc compiler bundles all source code and dependencies into standalone JavaScript files.
The scan-action has a straightforward single-file architecture:
Main action (action.yml):
index.jsdist/index.jsDownload Grype sub-action (download-grype/action.yml):
dist/index.js with run: "download-grype" inputcmd output with path to Grype binaryKey functions in index.js:
downloadGrype() - Downloads Grype using install scriptdownloadGrypeWindowsWorkaround() - Windows-specific download logicinstallGrype() - Installs and caches Grype binarysourceInput() - Validates mutually exclusive inputs (image/path/sbom)run() - Main action execution flowEnable detailed debug logging by setting a repository secret:
ACTIONS_STEP_DEBUG = trueThis enables debug logging from the @actions/toolkit libraries used throughout the action.
See the GitHub documentation for more details.
CI validation:
The repository includes comprehensive CI workflows in .github/workflows/test.yml that:
Manual testing:
Test changes in your own workflows using the repository name and branch:
- uses: <your-username>/scan-action@<your-branch>
with:
image: "alpine:latest"
Or test locally using act if you have it installed.
The scan-action uses the Node.js 20 runtime (runs.using: node20 in action.yml). This runtime is provided by GitHub Actions and doesn’t require separate installation in workflows.
Understanding the Codebase
Contributing Your Work
Finding Work
Getting Help
This style guide is for the Anchore OSS documentation. The style guide helps contributors to write documentation that readers can understand quickly and correctly.
The Anchore OSS docs aim for:
Use American spelling rather than Commonwealth or British spelling. Refer to Merriam-Webster’s Collegiate Dictionary, Eleventh Edition.
Some hints:
Always spell out the full term for every abbreviation or acronym the first time you use it on the page. Don’t assume people know what an abbreviation or acronym means, even if it seems like common knowledge.
Example: “To run Grype locally in a virtual machine (VM)”
For example, it’s fine to write “it’s” instead of “it is”.
When referring to a product or brand, use the full name. Capitalize the name as the product owners do in the product documentation. Do not use abbreviations even if they’re in common use, unless the product owner has sanctioned the abbreviation.
| Use this | Instead of this |
|---|---|
| Anchore | anchore |
| Kubernetes | k8s |
| GitHub | github |
Use punctuation consistently within a page. For example, if you use a period (full stop) after every item in list, then use a period on all other lists on the page.
Check the other pages if you’re unsure about a particular convention.
Examples:
description in the front matter of each page.)Passive voice is often confusing, as it’s not clear who should perform the action.
| Use active voice | Instead of passive voice |
|---|---|
| You can configure Grype to | Grype can be configured to |
| Add the directory to your path | The directory should be added to your path |
Avoid future tense (“will”) and complex syntax such as conjunctive mood (“would”, “should”).
| Use simple present tense | Instead of future tense or complex syntax |
|---|---|
| The following command provisions a virtual machine | The following command will provision a virtual machine |
| If you add this configuration element, the system is open to the Internet | If you added this configuration element, the system would be open to the Internet |
Exception: Use future tense if it’s necessary to convey the correct meaning. This requirement is rare.
Using “we” in a sentence can be confusing, because the reader may not know whether they’re part of the “we” you’re describing.
For example, compare the following two statements:
The words “the developer” or “the user” can be ambiguous. For example, if the reader is building a product that also has users, then the reader does not know whether you’re referring to the reader or the users of their product.
| Address the reader directly | Instead of "we", "the user", or "the developer" |
|---|---|
| Include the directory in your path | The user must make sure that the directory is included in their path |
| In this tutorial you build a flying saucer | In this tutorial we build a flying saucer |
Keep sentences short. Short sentences are easier to read than long ones. Below are some tips for writing short sentences.
| Use fewer words instead of many words that convey the same meaning | |
|---|---|
| Use this | Instead of this |
| You can use | It is also possible to use |
| You can | You are able to |
| Split a single long sentence into two or more shorter ones | |
|---|---|
| Use this | Instead of this |
| You do not need a running GKE cluster. The deployment process creates a cluster for you | You do not need a running GKE cluster, because the deployment process creates a cluster for you |
| Use a list instead of a long sentence showing various options | |
|---|---|
| Use this | Instead of this |
To scan a container for vulnerabilities:
| To scan a container, you must package the software in an OCI container, upload the container to an online registry, and run Grype with the container name as a parameter. |
Use bold text when referring to UI controls or other UI elements.
Use code style for:
Avoid using bold text or capital letters for emphasis. If a page has too much textual highlighting it becomes confusing and even annoying.
For example:
export SYFT_PARALLELISM=<number>--email <your email address>The Anchore OSS docs recognize Bootstrap classes to style images and other content.
The following code snippet shows the typical styling that makes an image show up nicely on the page:
<!-- for wide images -->
<img src="/images/my-image.png" alt="My image" class="mt-3 mb-3 border rounded" />
<!-- for tall images -->
<img src="/images/my-image.png" alt="My image" class="mt-3 mb-3 border rounded" style="width: 100%; max-width: 30em" />
To see some examples of styled images, take a look at the Kubeflow OAuth setup page.
For more help, see the guide to Bootstrap image styling and the Bootstrap utilities, such as borders.
The Google Developer Documentation Style Guide contains detailed information about specific aspects of writing clear, readable, succinct documentation for a developer audience.
1.38.0.Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems
Usage:
syft [SOURCE] [flags]
syft [command]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Available Commands:
attest Generate an SBOM as an attestation for the given [SOURCE] container image
cataloger Show available catalogers and configuration
completion Generate the autocompletion script for the specified shell
config show the syft configuration
convert Convert between SBOM formats
help Help about any command
login Log in to a registry
scan Generate an SBOM
version show version information
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-c, --config stringArray syft configuration file(s) to use
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for syft
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for syft
Use "syft [command] --help" for more information about a command.
syft attest
Generate a packaged-based Software Bill Of Materials (SBOM) from a container image as the predicate of an in-toto attestation that will be uploaded to the image registry.
Usage:
syft attest --output [FORMAT] <IMAGE> [flags]
Examples:
syft attest --output [FORMAT] alpine:latest defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry
You can also explicitly specify the scheme to use:
syft attest docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft attest podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft attest registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft attest docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft attest oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft attest oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft attest singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
--exclude stringArray exclude paths from being scanned using a glob expression
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for attest
-k, --key string the key to use for the attestation
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
syft cataloger list
List available catalogers.
Usage:
syft cataloger list [OPTIONS] [flags]
Flags:
-h, --help help for list
-o, --output string format to output the cataloger list (available: table, json)
--override-default-catalogers stringArray override the default catalogers with an expression (default [all])
--select-catalogers stringArray select catalogers with an expression
-s, --show-hidden show catalogers that have been de-selected
syft config
Show the syft configuration.
Usage:
syft config [flags]
syft config [command]
Available Commands:
locations shows all locations and the order in which syft will look for a configuration file
Flags:
-h, --help help for config
--load load and validate the syft configuration
syft convert
[Experimental] Convert SBOM files to, and from, SPDX, CycloneDX and Syft’s format. For more info about data loss between formats see https://github.com/anchore/syft/wiki/format-conversion.
Usage:
syft convert [SOURCE-SBOM] -o [FORMAT] [flags]
Examples:
syft convert img.syft.json -o spdx-json convert a syft SBOM to spdx-json, output goes to stdout
syft convert img.syft.json -o cyclonedx-json=img.cdx.json convert a syft SBOM to CycloneDX, output is written to the file "img.cdx.json"
syft convert - -o spdx-json convert an SBOM from STDIN to spdx-json
Flags:
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
-h, --help help for convert
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
-t, --template string specify the path to a Go template file
syft login
Log in to a registry.
Usage:
syft login [OPTIONS] [SERVER] [flags]
Examples:
# Log in to reg.example.com
syft login reg.example.com -u AzureDiamond -p hunter2
Flags:
-h, --help help for login
-p, --password string Password
--password-stdin Take the password from stdin
-u, --username string Username
syft scan
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems.
Usage:
syft scan [SOURCE] [flags]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for scan
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
syft version
Show version information.
Usage:
syft version [flags]
Flags:
-h, --help help for version
-o, --output string the format to show the results (allowable: [text json]) (default "text")
1.38.0.Syft searches for configuration files in the following locations, in order:
./.syft.yaml - current working directory./.syft/config.yaml - app subdirectory in current working directory~/.syft.yaml - home directory$XDG_CONFIG_HOME/syft/config.yaml - XDG config directoryThe configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
For general information about how config and environment variables are handled, see the Configuration Reference section.
log:
# suppress all logging output (env: SYFT_LOG_QUIET)
quiet: false
# increase verbosity (-v = info, -vv = debug) (env: SYFT_LOG_VERBOSITY)
verbosity: 0
# explicitly set the logging level (available: [error warn info debug trace]) (env: SYFT_LOG_LEVEL)
level: "warn"
# file path to write logs to (env: SYFT_LOG_FILE)
file: ""
dev:
# capture resource profiling data (available: [cpu, mem]) (env: SYFT_DEV_PROFILE)
profile: ""
# the configuration file(s) used to load application configuration (env: SYFT_CONFIG)
config: ""
# the output format(s) of the SBOM report (options: syft-table, syft-text, syft-json, spdx-json, ...)
# to specify multiple output files in differing formats, use a list:
# output:
# - "syft-json=<syft-json-output-file>"
# - "spdx-json=<spdx-json-output-file>" (env: SYFT_OUTPUT)
output:
- "syft-table"
# file to write the default report output to (default is STDOUT) (env: SYFT_LEGACYFILE)
legacyFile: ""
format:
# default value for all formats that support the "pretty" option (default is unset) (env: SYFT_FORMAT_PRETTY)
pretty:
template:
# path to the template file to use when rendering the output with the template output format.
# Note that all template paths are based on the current syft-json schema (env: SYFT_FORMAT_TEMPLATE_PATH)
path: ""
# if true, uses the go structs for the syft-json format for templating.
# if false, uses the syft-json output for templating (which follows the syft JSON schema exactly).
#
# Note: long term support for this option is not guaranteed (it may change or break at any time) (env: SYFT_FORMAT_TEMPLATE_LEGACY)
legacy: false
json:
# transform any syft-json output to conform to an approximation of the v11.0.1 schema. This includes:
# - using the package metadata type names from before v12 of the JSON schema (changed in https://github.com/anchore/syft/pull/1983)
#
# Note: this will still include package types and fields that were added at or after json schema v12. This means
# that output might not strictly be json schema v11 compliant, however, for consumers that require time to port
# over to the final syft 1.0 json output this option can be used to ease the transition.
#
# Note: long term support for this option is not guaranteed (it may change or break at any time) (env: SYFT_FORMAT_JSON_LEGACY)
legacy: false
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_JSON_PRETTY)
pretty:
spdx-json:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_SPDX_JSON_PRETTY)
pretty:
cyclonedx-json:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_CYCLONEDX_JSON_PRETTY)
pretty:
cyclonedx-xml:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_CYCLONEDX_XML_PRETTY)
pretty:
# whether to check for an application update on start up or not (env: SYFT_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# enable one or more package catalogers (env: SYFT_CATALOGERS)
catalogers: []
# set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source) (env: SYFT_DEFAULT_CATALOGERS)
default-catalogers: []
# add, remove, and filter the catalogers to be used (env: SYFT_SELECT_CATALOGERS)
select-catalogers: []
package:
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger (env: SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES)
search-unindexed-archives: false
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger (env: SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES)
search-indexed-archives: true
# allows users to exclude synthetic binary packages from the sbom
# these packages are removed if an overlap with a non-synthetic package is found (env: SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
exclude-binary-overlap-by-ownership: true
license:
# include the content of licenses in the SBOM for a given syft scan; valid values are: [all unknown none] (env: SYFT_LICENSE_CONTENT)
content: "none"
# adjust the percent as a fraction of the total text, in normalized words, that
# matches any valid license for the given inputs, expressed as a percentage across all of the licenses matched. (env: SYFT_LICENSE_COVERAGE)
coverage: 75
file:
metadata:
# select which files should be captured by the file-metadata cataloger and included in the SBOM.
# Options include:
# - "all": capture all files from the search space
# - "owned-by-package": capture only files owned by packages
# - "none", "": do not capture any files (env: SYFT_FILE_METADATA_SELECTION)
selection: "owned-by-package"
# the file digest algorithms to use when cataloging files (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_FILE_METADATA_DIGESTS)
digests:
- "sha1"
- "sha256"
content:
# skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes) (env: SYFT_FILE_CONTENT_SKIP_FILES_ABOVE_SIZE)
skip-files-above-size: 256000
# file globs for the cataloger to match on (env: SYFT_FILE_CONTENT_GLOBS)
globs: []
executable:
# file globs for the cataloger to match on (env: SYFT_FILE_EXECUTABLE_GLOBS)
globs: []
# selection of layers to catalog, options=[squashed all-layers deep-squashed] (env: SYFT_SCOPE)
scope: "squashed"
# number of cataloger workers to run in parallel
# by default, when set to 0: this will be based on runtime.NumCPU * 4, if set to less than 0 it will be unbounded (env: SYFT_PARALLELISM)
parallelism: 0
relationships:
# include package-to-file relationships that indicate which files are owned by which packages (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP)
package-file-ownership: true
# include package-to-package relationships that indicate one package is owned by another due to files claimed to be owned by one package are also evidence of another package's existence (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP_OVERLAP)
package-file-ownership-overlap: true
compliance:
# action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
missing-name: "drop"
# action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
missing-version: "stub"
# Enable data enrichment operations, which can utilize services such as Maven Central and NPM.
# By default all enrichment is disabled, use: all to enable everything.
# Available options are: all, golang, java, javascript, python (env: SYFT_ENRICH)
enrich: []
dotnet:
# only keep dep.json packages which an executable on disk is found. The package is also included if a DLL is found for any child package, even if the package itself does not have a DLL. (env: SYFT_DOTNET_DEP_PACKAGES_MUST_HAVE_DLL)
dep-packages-must-have-dll: false
# only keep dep.json packages which have a runtime/resource DLL claimed in the deps.json targets section (but not necessarily found on disk). The package is also included if any child package claims a DLL, even if the package itself does not claim a DLL. (env: SYFT_DOTNET_DEP_PACKAGES_MUST_CLAIM_DLL)
dep-packages-must-claim-dll: true
# treat DLL claims or on-disk evidence for child packages as DLL claims or on-disk evidence for any parent package (env: SYFT_DOTNET_PROPAGATE_DLL_CLAIMS_TO_PARENTS)
propagate-dll-claims-to-parents: true
# show all packages from the deps.json if bundling tooling is present as a dependency (e.g. ILRepack) (env: SYFT_DOTNET_RELAX_DLL_CLAIMS_WHEN_BUNDLING_DETECTED)
relax-dll-claims-when-bundling-detected: true
golang:
# search for go package licences in the GOPATH of the system running Syft, note that this is outside the
# container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
search-local-mod-cache-licenses:
# specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
local-mod-cache-dir: "~/go/pkg/mod"
# search for go package licences in the vendor folder on the system running Syft, note that this is outside the
# container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_VENDOR_LICENSES)
search-local-vendor-licenses:
# specify an explicit go vendor directory, if unset this defaults to ./vendor (env: SYFT_GOLANG_LOCAL_VENDOR_DIR)
local-vendor-dir: ""
# search for go package licences by retrieving the package from a network proxy (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# remote proxy to use when retrieving go packages from the network,
# if unset this defaults to $GOPROXY followed by https://proxy.golang.org (env: SYFT_GOLANG_PROXY)
proxy: "https://proxy.golang.org,direct"
# specifies packages which should not be fetched by proxy
# if unset this defaults to $GONOPROXY (env: SYFT_GOLANG_NO_PROXY)
no-proxy: ""
main-module-version:
# look for LD flags that appear to be setting a version (e.g. -X main.version=1.0.0) (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_LD_FLAGS)
from-ld-flags: true
# search for semver-like strings in the binary contents (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_CONTENTS)
from-contents: false
# use the build settings (e.g. vcs.version & vcs.time) to craft a v0 pseudo version
# (e.g. v0.0.0-20220308212642-53e6d0aaf6fb) when a more accurate version cannot be found otherwise (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_BUILD_SETTINGS)
from-build-settings: true
java:
# enables Syft to use the network to fetch version and license information for packages when
# a parent or imported pom file is not found in the local maven repository.
# the pom files are downloaded from the remote Maven repository at 'maven-url' (env: SYFT_JAVA_USE_NETWORK)
use-network:
# use the local Maven repository to retrieve pom files. When Maven is installed and was previously used
# for building the software that is being scanned, then most pom files will be available in this
# repository on the local file system. this greatly speeds up scans. when all pom files are available
# in the local repository, then 'use-network' is not needed.
# TIP: If you want to download all required pom files to the local repository without running a full
# build, run 'mvn help:effective-pom' before performing the scan with syft. (env: SYFT_JAVA_USE_MAVEN_LOCAL_REPOSITORY)
use-maven-local-repository:
# override the default location of the local Maven repository.
# the default is the subdirectory '.m2/repository' in your home directory (env: SYFT_JAVA_MAVEN_LOCAL_REPOSITORY_DIR)
maven-local-repository-dir: "~/.m2/repository"
# maven repository to use, defaults to Maven central (env: SYFT_JAVA_MAVEN_URL)
maven-url: "https://repo1.maven.org/maven2"
# depth to recursively resolve parent POMs, no limit if <= 0 (env: SYFT_JAVA_MAX_PARENT_RECURSIVE_DEPTH)
max-parent-recursive-depth: 0
# resolve transient dependencies such as those defined in a dependency's POM on Maven central (env: SYFT_JAVA_RESOLVE_TRANSITIVE_DEPENDENCIES)
resolve-transitive-dependencies: false
javascript:
# enables Syft to use the network to fill in more detailed license information (env: SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# base NPM url to use (env: SYFT_JAVASCRIPT_NPM_BASE_URL)
npm-base-url: ""
# include development-scoped dependencies (env: SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES)
include-dev-dependencies:
linux-kernel:
# whether to catalog linux kernel modules found within lib/modules/** directories (env: SYFT_LINUX_KERNEL_CATALOG_MODULES)
catalog-modules: true
nix:
# enumerate all files owned by packages found within Nix store paths (env: SYFT_NIX_CAPTURE_OWNED_FILES)
capture-owned-files: false
python:
# enables Syft to use the network to fill in more detailed license information (env: SYFT_PYTHON_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# base Pypi url to use (env: SYFT_PYTHON_PYPI_BASE_URL)
pypi-base-url: ""
# when running across entries in requirements.txt that do not specify a specific version
# (e.g. "sqlalchemy >= 1.0.0, <= 2.0.0, != 3.0.0, <= 3.0.0"), attempt to guess what the version could
# be based on the version requirements specified (e.g. "1.0.0"). When enabled the lowest expressible version
# when given an arbitrary constraint will be used (even if that version may not be available/published). (env: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS)
guess-unpinned-requirements:
registry:
# skip TLS verification when communicating with the registry (env: SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry (env: SYFT_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
# Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
# - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
# username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
# password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
# token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
# tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
# tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
auth: []
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: SYFT_REGISTRY_CA_CERT)
ca-cert: ""
# specify the source behavior to use (e.g. docker, registry, oci-dir, ...) (env: SYFT_FROM)
from: []
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: SYFT_PLATFORM)
platform: ""
source:
# set the name of the target being analyzed (env: SYFT_SOURCE_NAME)
name: ""
# set the version of the target being analyzed (env: SYFT_SOURCE_VERSION)
version: ""
# the organization that supplied the component, which often may be the manufacturer, distributor, or repackager (env: SYFT_SOURCE_SUPPLIER)
supplier: ""
# (env: SYFT_SOURCE_SOURCE)
source: ""
# base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory (env: SYFT_SOURCE_BASE_PATH)
base-path: ""
file:
# the file digest algorithms to use on the scanned file (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_SOURCE_FILE_DIGESTS)
digests:
- "SHA-256"
image:
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: SYFT_SOURCE_IMAGE_DEFAULT_PULL_SOURCE)
default-pull-source: ""
# (env: SYFT_SOURCE_IMAGE_MAX_LAYER_SIZE)
max-layer-size: ""
# exclude paths from being scanned using a glob expression (env: SYFT_EXCLUDE)
exclude: []
unknowns:
# remove unknown errors on files with discovered packages (env: SYFT_UNKNOWNS_REMOVE_WHEN_PACKAGES_DEFINED)
remove-when-packages-defined: true
# include executables without any identified packages (env: SYFT_UNKNOWNS_EXECUTABLES_WITHOUT_PACKAGES)
executables-without-packages: true
# include archives which were not expanded and searched (env: SYFT_UNKNOWNS_UNEXPANDED_ARCHIVES)
unexpanded-archives: true
cache:
# root directory to cache any downloaded content; empty string will use an in-memory cache (env: SYFT_CACHE_DIR)
dir: "~/.cache/syft"
# time to live for cached data; setting this to 0 will disable caching entirely (env: SYFT_CACHE_TTL)
ttl: "7d"
# show catalogers that have been de-selected (env: SYFT_SHOW_HIDDEN)
show-hidden: false
attest:
# the key to use for the attestation (env: SYFT_ATTEST_KEY)
key: ""
# password to decrypt to given private key
# additionally responds to COSIGN_PASSWORD env var (env: SYFT_ATTEST_PASSWORD)
password: ""
16.1.0Represents the syft cataloging findings as a JSON document
| Field Name | Type |
|---|---|
artifacts | Array<Package> |
artifactRelationships | Array<Relationship> |
files | Array<File> |
source | Source |
distro | LinuxRelease |
descriptor | Descriptor |
schema | Schema |
CPE
Represents a Common Platform Enumeration identifier used for matching packages to known vulnerabilities in security databases.
| Field Name | Type | Description |
|---|---|---|
cpe | str | Value is the CPE string identifier. |
source | str | Source is the source where this CPE was obtained or generated from. |
ClassifierMatch
Represents a single matched value within a binary file and the "class" name the search pattern represents.
| Field Name | Type |
|---|---|
classifier | str |
location | Location |
Coordinates
Contains the minimal information needed to describe how to find a file within any possible source object (e.g.
| Field Name | Type | Description |
|---|---|---|
path | str | RealPath is the canonical absolute form of the path accessed (all symbolic links have been followed and relative path components like '.' and '..' have been removed). |
layerID | str | FileSystemID is an ID representing and entire filesystem. For container images, this is a layer digest. For directories or a root filesystem, this is blank. |
Descriptor
Identifies the tool that generated this SBOM document, including its name, version, and configuration used during catalog generation.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the name of the tool that generated this SBOM (e.g., "syft"). |
version | str | Version is the version of the tool that generated this SBOM. |
configuration | unknown | Configuration contains the tool configuration used during SBOM generation. |
Digest
Represents a cryptographic hash of file contents.
| Field Name | Type | Description |
|---|---|---|
algorithm | str | Algorithm specifies the hash algorithm used (e.g., "sha256", "md5"). |
value | str | Value is the hexadecimal string representation of the hash. |
ELFSecurityFeatures
Captures security hardening and protection mechanisms in ELF binaries.
| Field Name | Type | Description |
|---|---|---|
symbolTableStripped | bool | SymbolTableStripped indicates whether debugging symbols have been removed. |
stackCanary | bool | StackCanary indicates whether stack smashing protection is enabled. |
nx | bool | NoExecutable indicates whether NX (no-execute) protection is enabled for the stack. |
relRO | str | RelocationReadOnly indicates the RELRO protection level. |
pie | bool | PositionIndependentExecutable indicates whether the binary is compiled as PIE. |
dso | bool | DynamicSharedObject indicates whether the binary is a shared library. |
safeStack | bool | LlvmSafeStack represents a compiler-based security mechanism that separates the stack into a safe stack for storing return addresses and other critical data, and an unsafe stack for everything else, to mitigate stack-based memory corruption errors see https://clang.llvm.org/docs/SafeStack.html |
cfi | bool | ControlFlowIntegrity represents runtime checks to ensure a program's control flow adheres to the legal paths determined at compile time, thus protecting against various types of control-flow hijacking attacks see https://clang.llvm.org/docs/ControlFlowIntegrity.html |
fortify | bool | ClangFortifySource is a broad suite of extensions to libc aimed at catching misuses of common library functions see https://android.googlesource.com/platform//bionic/+/d192dbecf0b2a371eb127c0871f77a9caf81c4d2/docs/clang_fortify_anatomy.md |
Executable
Contains metadata about binary files and their security features.
| Field Name | Type | Description |
|---|---|---|
format | str | Format denotes either ELF, Mach-O, or PE |
hasExports | bool | HasExports indicates whether the binary exports symbols. |
hasEntrypoint | bool | HasEntrypoint indicates whether the binary has an entry point function. |
importedLibraries | Array<str> | ImportedLibraries lists the shared libraries required by this executable. |
elfSecurityFeatures | ELFSecurityFeatures | ELFSecurityFeatures contains ELF-specific security hardening information when Format is ELF. |
File
Represents a file discovered during cataloging with its metadata, content digests, licenses, and relationships to packages.
| Field Name | Type | Description |
|---|---|---|
id | str | ID is a unique identifier for this file within the SBOM. |
location | Coordinates | Location is the file path and layer information where this file was found. |
metadata | FileMetadataEntry | Metadata contains filesystem metadata such as permissions, ownership, and file type. |
contents | str | Contents is the file contents for small files. |
digests | Array<Digest> | Digests contains cryptographic hashes of the file contents. |
licenses | Array<FileLicense> | Licenses contains license information discovered within this file. |
executable | Executable | Executable contains executable metadata if this file is a binary. |
unknowns | Array<str> | Unknowns contains unknown fields for forward compatibility. |
FileLicense
Represents license information discovered within a file's contents or metadata, including the matched license text and SPDX expression.
| Field Name | Type | Description |
|---|---|---|
value | str | Value is the raw license identifier or text as found in the file. |
spdxExpression | str | SPDXExpression is the parsed SPDX license expression. |
type | str | Type is the license type classification (e.g., declared, concluded, discovered). |
evidence | FileLicenseEvidence | Evidence contains supporting evidence for this license detection. |
FileLicenseEvidence
Contains supporting evidence for a license detection in a file, including the byte offset, extent, and confidence level.
| Field Name | Type | Description |
|---|---|---|
confidence | int | Confidence is the confidence score for this license detection (0-100). |
offset | int | Offset is the byte offset where the license text starts in the file. |
extent | int | Extent is the length of the license text in bytes. |
FileMetadataEntry
Contains filesystem-level metadata attributes such as permissions, ownership, type, and size for a cataloged file.
| Field Name | Type | Description |
|---|---|---|
mode | int | Mode is the Unix file permission mode in octal format. |
type | str | Type is the file type (e.g., "RegularFile", "Directory", "SymbolicLink"). |
linkDestination | str | LinkDestination is the target path for symbolic links. |
userID | int | UserID is the file owner user ID. |
groupID | int | GroupID is the file owner group ID. |
mimeType | str | MIMEType is the MIME type of the file contents. |
size | int | Size is the file size in bytes. |
KeyValue
Represents a single key-value pair.
| Field Name | Type | Description |
|---|---|---|
key | str | Key is the key name |
value | str | Value is the value associated with the key |
License
Represents software license information discovered for a package, including SPDX expressions and supporting evidence locations.
| Field Name | Type | Description |
|---|---|---|
value | str | Value is the raw license identifier or expression as found. |
spdxExpression | str | SPDXExpression is the parsed SPDX license expression. |
type | str | Type is the license type classification (e.g., declared, concluded, discovered). |
urls | Array<str> | URLs are URLs where license text or information can be found. |
locations | Array<Location> | Locations are file locations where this license was discovered. |
contents | str | Contents is the full license text content. |
LinuxKernelModuleParameter
Represents a configurable parameter for a kernel module with its type and description.
| Field Name | Type | Description |
|---|---|---|
type | str | Type is parameter data type (e.g. int, string, bool, array types) |
description | str | Description is a human-readable parameter description explaining what the parameter controls |
LinuxRelease
Contains Linux distribution identification and version information extracted from /etc/os-release or similar system files.
| Field Name | Type | Description |
|---|---|---|
prettyName | str | PrettyName is a human-readable operating system name with version. |
name | str | Name is the operating system name without version information. |
id | str | ID is the lower-case operating system identifier (e.g., "ubuntu", "rhel"). |
idLike | IDLikes | IDLike is a list of operating system IDs this distribution is similar to or derived from. |
version | str | Version is the operating system version including codename if available. |
versionID | str | VersionID is the operating system version number or identifier. |
versionCodename | str | VersionCodename is the operating system release codename (e.g., "jammy", "bullseye"). |
buildID | str | BuildID is a build identifier for the operating system. |
imageID | str | ImageID is an identifier for container or cloud images. |
imageVersion | str | ImageVersion is the version for container or cloud images. |
variant | str | Variant is the operating system variant name (e.g., "Server", "Workstation"). |
variantID | str | VariantID is the lower-case operating system variant identifier. |
homeURL | str | HomeURL is the homepage URL for the operating system. |
supportURL | str | SupportURL is the support or help URL for the operating system. |
bugReportURL | str | BugReportURL is the bug reporting URL for the operating system. |
privacyPolicyURL | str | PrivacyPolicyURL is the privacy policy URL for the operating system. |
cpeName | str | CPEName is the Common Platform Enumeration name for the operating system. |
supportEnd | str | SupportEnd is the end of support date or version identifier. |
extendedSupport | bool | ExtendedSupport indicates whether extended security or support is available. |
Location
Represents a path relative to a particular filesystem resolved to a specific file.Reference.
| Field Name | Type | Description |
|---|---|---|
path | str | RealPath is the canonical absolute form of the path accessed (all symbolic links have been followed and relative path components like '.' and '..' have been removed). |
layerID | str | FileSystemID is an ID representing and entire filesystem. For container images, this is a layer digest. For directories or a root filesystem, this is blank. |
accessPath | str | AccessPath is the path used to retrieve file contents (which may or may not have hardlinks / symlinks in the path) |
annotations | obj |
Package
Represents a pkg.Package object specialized for JSON marshaling and unmarshalling.
| Field Name | Type |
|---|---|
id | str |
name | str |
version | str |
type | str |
foundBy | str |
locations | Array<Location> |
licenses | licenses |
language | str |
cpes | cpes |
purl | str |
metadataType | str |
metadata | see the Ecosystem Specific Types section |
PnpmLockResolution
Contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification.
| Field Name | Type | Description |
|---|---|---|
integrity | str | Integrity is Subresource Integrity hash for verification (SRI format) |
Relationship
Represents a directed relationship between two artifacts in the SBOM, such as package-contains-file or package-depends-on-package.
| Field Name | Type | Description |
|---|---|---|
parent | str | Parent is the ID of the parent artifact in this relationship. |
child | str | Child is the ID of the child artifact in this relationship. |
type | str | Type is the relationship type (e.g., "contains", "dependency-of", "ancestor-of"). |
metadata | unknown | Metadata contains additional relationship-specific metadata. |
Schema
Specifies the JSON schema version and URL reference that defines the structure and validation rules for this document format.
| Field Name | Type | Description |
|---|---|---|
version | str | Version is the JSON schema version for this document format. |
url | str | URL is the URL to the JSON schema definition document. |
Source
Represents the artifact that was analyzed to generate this SBOM, such as a container image, directory, or file archive.
| Field Name | Type | Description |
|---|---|---|
id | str | ID is a unique identifier for the analyzed source artifact. |
name | str | Name is the name of the analyzed artifact (e.g., image name, directory path). |
version | str | Version is the version of the analyzed artifact (e.g., image tag). |
supplier | str | Supplier is supplier information, which can be user-provided for NTIA minimum elements compliance. |
type | str | Type is the source type (e.g., "image", "directory", "file"). |
metadata | unknown | Metadata contains additional source-specific metadata. |
AlpmDbEntry
Is a struct that represents the package data stored in the pacman flat-file stores for arch linux.
| Field Name | Type | Description |
|---|---|---|
basepackage | str | BasePackage is the base package name this package was built from (source package in Arch build system) |
package | str | Package is the package name as found in the desc file |
version | str | Version is the package version as found in the desc file |
description | str | Description is a human-readable package description |
architecture | str | Architecture is the target CPU architecture as defined in Arch architecture spec (e.g. x86_64, aarch64, or "any" for arch-independent packages) |
size | int | Size is the installed size in bytes |
packager | str | Packager is the name and email of the person who packaged this (RFC822 format) |
url | str | URL is the upstream project URL |
validation | str | Validation is the validation method used for package integrity (e.g. pgp signature, sha256 checksum) |
reason | int | Reason is the installation reason tracked by pacman (0=explicitly installed by user, 1=installed as dependency) |
files | Array<AlpmFileRecord> | Files are the files installed by this package |
backup | Array<AlpmFileRecord> | Backup is the list of configuration files that pacman backs up before upgrades |
provides | Array<str> | Provides are virtual packages provided by this package (allows other packages to depend on capabilities rather than specific packages) |
depends | Array<str> | Depends are the runtime dependencies required by this package |
AlpmFileRecord
Represents a single file entry within an Arch Linux package with its associated metadata tracked by pacman.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
type | str | Type is the file type (e.g. regular file, directory, symlink) |
uid | str | UID is the file owner user ID as recorded by pacman |
gid | str | GID is the file owner group ID as recorded by pacman |
time | str | Time is the file modification timestamp |
size | str | Size is the file size in bytes |
link | str | Link is the symlink target path if this is a symlink |
digest | Array<Digest> | Digests contains file content hashes for integrity verification |
ApkDbEntry
Represents all captured data for the alpine linux package manager flat-file store.
| Field Name | Type | Description |
|---|---|---|
package | str | Package is the package name as found in the installed file |
originPackage | str | OriginPackage is the original source package name this binary was built from (used to track which aport/source built this) |
maintainer | str | Maintainer is the package maintainer name and email |
version | str | Version is the package version as found in the installed file |
architecture | str | Architecture is the target CPU architecture |
url | str | URL is the upstream project URL |
description | str | Description is a human-readable package description |
size | int | Size is the package archive size in bytes (.apk file size) |
installedSize | int | InstalledSize is the total size of installed files in bytes |
pullDependencies | Array<str> | Dependencies are the runtime dependencies required by this package |
provides | Array<str> | Provides are virtual packages provided by this package (for capability-based dependencies) |
pullChecksum | str | Checksum is the package content checksum for integrity verification |
gitCommitOfApkPort | str | GitCommit is the git commit hash of the APK port definition in Alpine's aports repository |
files | Array<ApkFileRecord> | Files are the files installed by this package |
ApkFileRecord
Represents a single file listing and metadata from a APK DB entry (which may have many of these file records).
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
ownerUid | str | OwnerUID is the file owner user ID |
ownerGid | str | OwnerGID is the file owner group ID |
permissions | str | Permissions is the file permission mode string (e.g. "0755", "0644") |
digest | Digest | Digest is the file content hash for integrity verification |
BinarySignature
Represents a set of matched values within a binary file.
| Field Name | Type |
|---|---|
matches | Array<ClassifierMatch> |
BitnamiSbomEntry
Represents all captured data from Bitnami packages described in Bitnami' SPDX files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the Bitnami SPDX file |
arch | str | Architecture is the target CPU architecture (amd64 or arm64 in Bitnami images) |
distro | str | Distro is the distribution name this package is for (base OS like debian, ubuntu, etc.) |
revision | str | Revision is the Bitnami-specific package revision number (incremented for Bitnami rebuilds of same upstream version) |
version | str | Version is the package version as found in the Bitnami SPDX file |
path | str | Path is the installation path in the filesystem where the package is located |
files | Array<str> | Files are the file paths owned by this package (tracked via SPDX relationships) |
CConanFileEntry
ConanfileEntry represents a single "Requires" entry from a conanfile.txt.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
CConanInfoEntry
ConaninfoEntry represents a single "full_requires" entry from a conaninfo.txt.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
package_id | str | PackageID is a unique package variant identifier |
CConanLockEntry
ConanV1LockEntry represents a single "node" entry from a conan.lock V1 file.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
package_id | str | PackageID is a unique package variant identifier computed from settings/options (static hash in Conan 1.x, can have collisions with complex dependency graphs) |
prev | str | Prev is the previous lock entry reference for versioning |
requires | Array<str> | Requires are the runtime package dependencies |
build_requires | Array<str> | BuildRequires are the build-time dependencies (e.g. cmake, compilers) |
py_requires | Array<str> | PythonRequires are the Python dependencies needed for Conan recipes |
options | KeyValues | Options are package configuration options as key-value pairs (e.g. shared=True, fPIC=True) |
path | str | Path is the filesystem path to the package in Conan cache |
context | str | Context is the build context information |
CConanLockV2Entry
ConanV2LockEntry represents a single "node" entry from a conan.lock V2 file.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
packageID | str | PackageID is a unique package variant identifier (dynamic in Conan 2.0, more accurate than V1) |
username | str | Username is the Conan user/organization name |
channel | str | Channel is the Conan channel name indicating stability/purpose (e.g. stable, testing, experimental) |
recipeRevision | str | RecipeRevision is a git-like revision hash (RREV) of the recipe |
packageRevision | str | PackageRevision is a git-like revision hash of the built binary package |
timestamp | str | TimeStamp is when this package was built/locked |
CocoaPodfileLockEntry
Represents a single entry from the "Pods" section of a Podfile.lock file.
| Field Name | Type | Description |
|---|---|---|
checksum | str | Checksum is the SHA-1 hash of the podspec file for integrity verification (generated via `pod ipc spec ... | openssl sha1`), ensuring all team members use the same pod specification version |
CondaMetadataEntry
CondaMetaPackage represents metadata for a Conda package extracted from the conda-meta/*.json files.
| Field Name | Type | Description |
|---|---|---|
arch | str | Arch is the target CPU architecture for the package (e.g., "arm64", "x86_64"). |
name | str | Name is the package name as found in the conda-meta JSON file. |
version | str | Version is the package version as found in the conda-meta JSON file. |
build | str | Build is the build string identifier (e.g., "h90dfc92_1014"). |
build_number | int | BuildNumber is the sequential build number for this version. |
channel | str | Channel is the Conda channel URL where the package was retrieved from. |
subdir | str | Subdir is the subdirectory within the channel (e.g., "osx-arm64", "linux-64"). |
noarch | str | Noarch indicates if the package is platform-independent (e.g., "python", "generic"). |
license | str | License is the package license identifier. |
license_family | str | LicenseFamily is the general license category (e.g., "MIT", "Apache", "GPL"). |
md5 | str | MD5 is the MD5 hash of the package archive. |
sha256 | str | SHA256 is the SHA-256 hash of the package archive. |
size | int | Size is the package archive size in bytes. |
timestamp | int | Timestamp is the Unix timestamp when the package was built. |
fn | str | Filename is the original package archive filename (e.g., "zlib-1.2.11-h90dfc92_1014.tar.bz2"). |
url | str | URL is the full download URL for the package archive. |
extracted_package_dir | str | ExtractedPackageDir is the local cache directory where the package was extracted. |
depends | Array<str> | Depends is the list of runtime dependencies with version constraints. |
files | Array<str> | Files is the list of files installed by this package. |
paths_data | CondaPathsData | PathsData contains detailed file metadata from the paths.json file. |
link | CondaLink | Link contains installation source metadata from the link.json file. |
CondaLink
Represents link metadata from a Conda package's link.json file describing package installation source.
| Field Name | Type | Description |
|---|---|---|
source | str | Source is the original path where the package was extracted from cache. |
type | int | Type indicates the link type (1 for hard link, 2 for soft link, 3 for copy). |
CondaPathData
Represents metadata for a single file within a Conda package from the paths.json file.
| Field Name | Type | Description |
|---|---|---|
_path | str | Path is the file path relative to the Conda environment root. |
path_type | str | PathType indicates the link type for the file (e.g., "hardlink", "softlink", "directory"). |
sha256 | str | SHA256 is the SHA-256 hash of the file contents. |
sha256_in_prefix | str | SHA256InPrefix is the SHA-256 hash of the file after prefix replacement during installation. |
size_in_bytes | int | SizeInBytes is the file size in bytes. |
CondaPathsData
Represents the paths.json file structure from a Conda package containing file metadata.
| Field Name | Type | Description |
|---|---|---|
paths_version | int | PathsVersion is the schema version of the paths data format. |
paths | Array<CondaPathData> | Paths is the list of file metadata entries for all files in the package. |
DartPubspec
Is a struct that represents a package described in a pubspec.yaml file
| Field Name | Type | Description |
|---|---|---|
homepage | str | Homepage is the package homepage URL |
repository | str | Repository is the source code repository URL |
documentation | str | Documentation is the documentation site URL |
publish_to | str | PublishTo is the package repository to publish to, or "none" to prevent accidental publishing |
environment | DartPubspecEnvironment | Environment is SDK version constraints for Dart and Flutter |
platforms | Array<str> | Platforms are the supported platforms (Android, iOS, web, etc.) |
ignored_advisories | Array<str> | IgnoredAdvisories are the security advisories to explicitly ignore for this package |
DartPubspecEnvironment
Represents SDK version constraints from the environment section of pubspec.yaml.
| Field Name | Type | Description |
|---|---|---|
sdk | str | SDK is the Dart SDK version constraint (e.g. ">=2.12.0 <3.0.0") |
flutter | str | Flutter is the Flutter SDK version constraint if this is a Flutter package |
DartPubspecLockEntry
Is a struct that represents a single entry found in the "packages" section in a Dart pubspec.lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the pubspec.lock file |
version | str | Version is the package version as found in the pubspec.lock file |
hosted_url | str | HostedURL is the URL of the package repository for hosted packages (typically pub.dev, but can be custom repository identified by hosted-url). When PUB_HOSTED_URL environment variable changes, lockfile tracks the source. |
vcs_url | str | VcsURL is the URL of the VCS repository for git/path dependencies (for packages fetched from version control systems like Git) |
DotnetDepsEntry
Is a struct that represents a single entry found in the "libraries" section in a .NET [*.]deps.json file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the deps.json file |
version | str | Version is the package version as found in the deps.json file |
path | str | Path is the relative path to the package within the deps structure (e.g. "app.metrics/3.0.0") |
sha512 | str | Sha512 is the SHA-512 hash of the NuGet package content WITHOUT the signed content for verification (won't match hash from NuGet API or manual calculation of .nupkg file) |
hashPath | str | HashPath is the relative path to the .nupkg.sha512 hash file (e.g. "app.metrics.3.0.0.nupkg.sha512") |
executables | obj | Executables are the map of .NET Portable Executable files within this package with their version resources |
DotnetPackagesLockEntry
Is a struct that represents a single entry found in the "dependencies" section in a .NET packages.lock.json file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the packages.lock.json file |
version | str | Version is the package version as found in the packages.lock.json file |
contentHash | str | ContentHash is the hash of the package content for verification |
type | str | Type is the dependency type indicating how this dependency was added (Direct=explicit in project file, Transitive=pulled in by another package, Project=project reference) |
DotnetPortableExecutableEntry
Is a struct that represents a single entry found within "VersionResources" section of a .NET Portable Executable binary file.
| Field Name | Type | Description |
|---|---|---|
assemblyVersion | str | AssemblyVersion is the .NET assembly version number (strong-named version) |
legalCopyright | str | LegalCopyright is the copyright notice string |
comments | str | Comments are additional comments or description embedded in PE resources |
internalName | str | InternalName is the internal name of the file |
companyName | str | CompanyName is the company that produced the file |
productName | str | ProductName is the name of the product this file is part of |
productVersion | str | ProductVersion is the version of the product (may differ from AssemblyVersion) |
DpkgArchiveEntry
Represents package metadata extracted from a .deb archive file.
| Field Name | Type | Description |
|---|---|---|
package | str | Package is the package name as found in the status file |
source | str | Source is the source package name this binary was built from (one source can produce multiple binary packages) |
version | str | Version is the binary package version as found in the status file |
sourceVersion | str | SourceVersion is the source package version (may differ from binary version when binNMU rebuilds occur) |
architecture | str | Architecture is the target architecture per Debian spec (specific arch like amd64/arm64, wildcard like any, architecture-independent "all", or "source" for source packages) |
maintainer | str | Maintainer is the package maintainer's name and email in RFC822 format (name must come first, then email in angle brackets) |
installedSize | int | InstalledSize is the total size of installed files in kilobytes |
provides | Array<str> | Provides are the virtual packages provided by this package (allows other packages to depend on capabilities. Can include versioned provides like "libdigest-md5-perl (= 2.55.01)") |
depends | Array<str> | Depends are the packages required for this package to function (will not be installed unless these requirements are met, creates strict ordering constraint) |
preDepends | Array<str> | PreDepends are the packages that must be installed and configured BEFORE even starting installation of this package (stronger than Depends, discouraged unless absolutely necessary as it adds strict constraints for apt) |
files | Array<DpkgFileRecord> | Files are the files installed by this package |
DpkgFileRecord
Represents a single file attributed to a debian package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
digest | Digest | Digest is the file content hash (typically MD5 for dpkg compatibility with legacy systems) |
isConfigFile | bool | IsConfigFile is whether this file is marked as a configuration file (dpkg will preserve user modifications during upgrades) |
DpkgDbEntry
Represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section.
| Field Name | Type | Description |
|---|---|---|
package | str | Package is the package name as found in the status file |
source | str | Source is the source package name this binary was built from (one source can produce multiple binary packages) |
version | str | Version is the binary package version as found in the status file |
sourceVersion | str | SourceVersion is the source package version (may differ from binary version when binNMU rebuilds occur) |
architecture | str | Architecture is the target architecture per Debian spec (specific arch like amd64/arm64, wildcard like any, architecture-independent "all", or "source" for source packages) |
maintainer | str | Maintainer is the package maintainer's name and email in RFC822 format (name must come first, then email in angle brackets) |
installedSize | int | InstalledSize is the total size of installed files in kilobytes |
provides | Array<str> | Provides are the virtual packages provided by this package (allows other packages to depend on capabilities. Can include versioned provides like "libdigest-md5-perl (= 2.55.01)") |
depends | Array<str> | Depends are the packages required for this package to function (will not be installed unless these requirements are met, creates strict ordering constraint) |
preDepends | Array<str> | PreDepends are the packages that must be installed and configured BEFORE even starting installation of this package (stronger than Depends, discouraged unless absolutely necessary as it adds strict constraints for apt) |
files | Array<DpkgFileRecord> | Files are the files installed by this package |
DpkgFileRecord
Represents a single file attributed to a debian package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
digest | Digest | Digest is the file content hash (typically MD5 for dpkg compatibility with legacy systems) |
isConfigFile | bool | IsConfigFile is whether this file is marked as a configuration file (dpkg will preserve user modifications during upgrades) |
ElfBinaryPackageNoteJsonPayload
Represents metadata captured from the .note.package section of an ELF-formatted binary
| Field Name | Type | Description |
|---|---|---|
type | str | Type is the type of the package (e.g. "rpm", "deb", "apk", etc.) |
architecture | str | Architecture of the binary package (e.g. "amd64", "arm", etc.) |
osCPE | str | OSCPE is a CPE name for the OS, typically corresponding to CPE_NAME in os-release (e.g. cpe:/o:fedoraproject:fedora:33) |
os | str | OS is the OS name, typically corresponding to ID in os-release (e.g. "fedora") |
osVersion | str | osVersion is the version of the OS, typically corresponding to VERSION_ID in os-release (e.g. "33") |
system | str | System is a context-specific name for the system that the binary package is intended to run on or a part of |
vendor | str | Vendor is the individual or organization that produced the source code for the binary |
sourceRepo | str | SourceRepo is the URL to the source repository for which the binary was built from |
commit | str | Commit is the commit hash of the source repository for which the binary was built from |
ElixirMixLockEntry
Is a struct that represents a single entry in a mix.lock file
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the mix.lock file |
version | str | Version is the package version as found in the mix.lock file |
pkgHash | str | PkgHash is the outer checksum (SHA-256) of the entire Hex package tarball for integrity verification (preferred method, replaces deprecated inner checksum) |
pkgHashExt | str | PkgHashExt is the extended package hash format (inner checksum is deprecated - SHA-256 of concatenated file contents excluding CHECKSUM file, now replaced by outer checksum) |
ErlangRebarLockEntry
Represents a single package entry from the "deps" section within an Erlang rebar.lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the rebar.lock file |
version | str | Version is the package version as found in the rebar.lock file |
pkgHash | str | PkgHash is the outer checksum (SHA-256) of the entire Hex package tarball for integrity verification (preferred method over deprecated inner checksum) |
pkgHashExt | str | PkgHashExt is the extended package hash format (inner checksum deprecated - was SHA-256 of concatenated file contents) |
GgufFileHeader
Represents metadata extracted from a GGUF (GPT-Generated Unified Format) model file.
| Field Name | Type | Description |
|---|---|---|
ggufVersion | int | GGUFVersion is the GGUF format version (e.g., 3) |
fileSize | int | FileSize is the size of the GGUF file in bytes (best-effort if available from resolver) |
architecture | str | Architecture is the model architecture (from general.architecture, e.g., "qwen3moe", "llama") |
quantization | str | Quantization is the quantization type (e.g., "IQ4_NL", "Q4_K_M") |
parameters | int | Parameters is the number of model parameters (if present in header) |
tensorCount | int | TensorCount is the number of tensors in the model |
header | obj | RemainingKeyValues contains the remaining key-value pairs from the GGUF header that are not already represented as typed fields above. This preserves additional metadata fields for reference (namespaced with general.*, llama.*, etc.) while avoiding duplication. |
metadataHash | str | MetadataKeyValuesHash is a xx64 hash of all key-value pairs from the GGUF header metadata. This hash is computed over the complete header metadata (including the fields extracted into typed fields above) and provides a stable identifier for the model configuration across different file locations or remotes. It allows matching identical models even when stored in different repositories or with different filenames. |
GithubActionsUseStatement
Represents a single 'uses' statement in a GitHub Actions workflow file referencing an action or reusable workflow.
| Field Name | Type | Description |
|---|---|---|
value | str | Value is the action reference (e.g. "actions/checkout@v3") |
comment | str | Comment is the inline comment associated with this uses statement |
GoModuleBuildinfoEntry
GolangBinaryBuildinfoEntry represents all captured data for a Golang binary
| Field Name | Type | Description |
|---|---|---|
goBuildSettings | KeyValues | BuildSettings contains the Go build settings and flags used to compile the binary (e.g., GOARCH, GOOS, CGO_ENABLED). |
goCompiledVersion | str | GoCompiledVersion is the version of Go used to compile the binary. |
architecture | str | Architecture is the target CPU architecture for the binary (extracted from GOARCH build setting). |
h1Digest | str | H1Digest is the Go module hash in h1: format for the main module from go.sum. |
mainModule | str | MainModule is the main module path for the binary (e.g., "github.com/anchore/syft"). |
goCryptoSettings | Array<str> | GoCryptoSettings contains FIPS and cryptographic configuration settings if present. |
goExperiments | Array<str> | GoExperiments lists experimental Go features enabled during compilation (e.g., "arenas", "cgocheck2"). |
GoModuleEntry
GolangModuleEntry represents all captured data for a Golang source scan with go.mod/go.sum
| Field Name | Type | Description |
|---|---|---|
h1Digest | str | H1Digest is the Go module hash in h1: format from go.sum for verifying module contents. |
GoSourceEntry
GolangSourceEntry represents all captured data for a Golang package found through source analysis
| Field Name | Type | Description |
|---|---|---|
h1Digest | str | H1Digest is the Go module hash in h1: format from go.sum for verifying module contents. |
os | str | OperatingSystem is the target OS for build constraints (e.g., "linux", "darwin", "windows"). |
architecture | str | Architecture is the target CPU architecture for build constraints (e.g., "amd64", "arm64"). |
buildTags | str | BuildTags are the build tags used to conditionally compile code (e.g., "integration,debug"). |
cgoEnabled | bool | CgoEnabled indicates whether CGO was enabled for this package. |
HaskellHackageStackEntry
HackageStackYamlEntry represents a single entry from the "extra-deps" section of a stack.yaml file.
| Field Name | Type | Description |
|---|---|---|
pkgHash | str | PkgHash is the package content hash for verification |
HaskellHackageStackLockEntry
HackageStackYamlLockEntry represents a single entry from the "packages" section of a stack.yaml.lock file.
| Field Name | Type | Description |
|---|---|---|
pkgHash | str | PkgHash is the package content hash for verification |
snapshotURL | str | SnapshotURL is the URL to the Stack snapshot this package came from |
HomebrewFormula
Represents metadata about a Homebrew formula package extracted from formula JSON files.
| Field Name | Type | Description |
|---|---|---|
tap | str | Tap is Homebrew tap this formula belongs to (e.g. "homebrew/core") |
homepage | str | Homepage is the upstream project homepage URL |
description | str | Description is a human-readable formula description |
JavaArchive
Encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.
| Field Name | Type | Description |
|---|---|---|
virtualPath | str | VirtualPath is path within the archive hierarchy, where nested entries are delimited with ':' (for nested JARs) |
manifest | JavaManifest | Manifest is parsed META-INF/MANIFEST.MF contents |
pomProperties | JavaPomProperties | PomProperties is parsed pom.properties file contents |
pomProject | JavaPomProject | PomProject is parsed pom.xml file contents |
digest | Array<Digest> | ArchiveDigests is cryptographic hashes of the archive file |
JavaManifest
Represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.
| Field Name | Type | Description |
|---|---|---|
main | KeyValues | Main is main manifest attributes as key-value pairs |
sections | Array<KeyValues> | Sections are the named sections from the manifest (e.g. per-entry attributes) |
JavaPomParent
Contains the fields within the
| Field Name | Type | Description |
|---|---|---|
groupId | str | GroupID is the parent Maven group identifier |
artifactId | str | ArtifactID is the parent Maven artifact identifier |
version | str | Version is the parent version (child inherits configuration from this specific version of parent POM) |
JavaPomProject
Represents fields of interest extracted from a Java archive's pom.xml file.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the pom.xml file within the archive |
parent | JavaPomParent | Parent is the parent POM reference for inheritance (child POMs inherit configuration from parent) |
groupId | str | GroupID is Maven group identifier (reversed domain name like org.apache.maven) |
artifactId | str | ArtifactID is Maven artifact identifier (project name) |
version | str | Version is project version (together with groupId and artifactId forms Maven coordinates groupId:artifactId:version) |
name | str | Name is a human-readable project name (displayed in Maven-generated documentation) |
description | str | Description is detailed project description |
url | str | URL is the project URL (typically project website or repository) |
JavaPomProperties
Represents the fields of interest extracted from a Java archive's pom.properties file.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the pom.properties file within the archive |
name | str | Name is the project name |
groupId | str | GroupID is Maven group identifier uniquely identifying the project across all projects (follows reversed domain name convention like com.company.project) |
artifactId | str | ArtifactID is Maven artifact identifier, the name of the jar/artifact (unique within the groupId scope) |
version | str | Version is artifact version |
scope | str | Scope is dependency scope determining when dependency is available (compile=default all phases, test=test compilation/execution only, runtime=runtime and test not compile, provided=expected from JDK or container) |
extraFields | obj | Extra is additional custom properties not in standard Maven coordinates |
JavaJvmInstallation
JavaVMInstallation represents a Java Virtual Machine installation discovered on the system with its release information and file list.
| Field Name | Type | Description |
|---|---|---|
release | JavaVMRelease | Release is JVM release information and version details |
files | Array<str> | Files are the list of files that are part of this JVM installation |
JavaVMRelease
Represents JVM version and build information extracted from the release file in a Java installation.
| Field Name | Type | Description |
|---|---|---|
implementor | str | Implementor is extracted with the `java.vendor` JVM property |
implementorVersion | str | ImplementorVersion is extracted with the `java.vendor.version` JVM property |
javaRuntimeVersion | str | JavaRuntimeVersion is extracted from the 'java.runtime.version' JVM property |
javaVersion | str | JavaVersion matches that from `java -version` command output |
javaVersionDate | str | JavaVersionDate is extracted from the 'java.version.date' JVM property |
libc | str | Libc can either be 'glibc' or 'musl' |
modules | Array<str> | Modules is a list of JVM modules that are packaged |
osArch | str | OsArch is the target CPU architecture |
osName | str | OsName is the name of the target runtime operating system environment |
osVersion | str | OsVersion is the version of the target runtime operating system environment |
source | str | Source refers to the origin repository of OpenJDK source |
buildSource | str | BuildSource Git SHA of the build repository |
buildSourceRepo | str | BuildSourceRepo refers to rhe repository URL for the build source |
sourceRepo | str | SourceRepo refers to the OpenJDK repository URL |
fullVersion | str | FullVersion is extracted from the 'java.runtime.version' JVM property |
semanticVersion | str | SemanticVersion is derived from the OpenJDK version |
buildInfo | str | BuildInfo contains additional build information |
jvmVariant | str | JvmVariant specifies the JVM variant (e.g., Hotspot or OpenJ9) |
jvmVersion | str | JvmVersion is extracted from the 'java.vm.version' JVM property |
imageType | str | ImageType can be 'JDK' or 'JRE' |
buildType | str | BuildType can be 'commercial' (used in some older oracle JDK distributions) |
JavascriptNpmPackage
NpmPackage represents the contents of a javascript package.json file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in package.json |
version | str | Version is the package version as found in package.json |
author | str | Author is package author name |
homepage | str | Homepage is project homepage URL |
description | str | Description is a human-readable package description |
url | str | URL is repository or project URL |
private | bool | Private is whether this is a private package |
JavascriptNpmPackageLockEntry
NpmPackageLockEntry represents a single entry within the "packages" section of a package-lock.json file.
| Field Name | Type | Description |
|---|---|---|
resolved | str | Resolved is URL where this package was downloaded from (registry source) |
integrity | str | Integrity is Subresource Integrity hash for verification using standard SRI format (sha512-... or sha1-...). npm changed from SHA-1 to SHA-512 in newer versions. For registry sources this is the integrity from registry, for remote tarballs it's SHA-512 of the file. npm verifies tarball matches this hash before unpacking, throwing EINTEGRITY error if mismatch detected. |
dependencies | obj | Dependencies is a map of dependencies and their version markers, i.e. "lodash": "^1.0.0" |
JavascriptPnpmLockEntry
PnpmLockEntry represents a single entry in the "packages" section of a pnpm-lock.yaml file.
| Field Name | Type | Description |
|---|---|---|
resolution | PnpmLockResolution | Resolution is the resolution information for the package |
dependencies | obj | Dependencies is a map of dependencies and their versions |
JavascriptYarnLockEntry
YarnLockEntry represents a single entry section of a yarn.lock file.
| Field Name | Type | Description |
|---|---|---|
resolved | str | Resolved is URL where this package was downloaded from |
integrity | str | Integrity is Subresource Integrity hash for verification (SRI format) |
dependencies | obj | Dependencies is a map of dependencies and their versions |
LinuxKernelArchive
LinuxKernel represents all captured data for a Linux kernel
| Field Name | Type | Description |
|---|---|---|
name | str | Name is kernel name (typically "Linux") |
architecture | str | Architecture is the target CPU architecture |
version | str | Version is kernel version string |
extendedVersion | str | ExtendedVersion is additional version information |
buildTime | str | BuildTime is when the kernel was built |
author | str | Author is who built the kernel |
format | str | Format is kernel image format (e.g. bzImage, zImage) |
rwRootFS | bool | RWRootFS is whether root filesystem is mounted read-write |
swapDevice | int | SwapDevice is swap device number |
rootDevice | int | RootDevice is root device number |
videoMode | str | VideoMode is default video mode setting |
LinuxKernelModule
Represents a loadable kernel module (.ko file) with its metadata, parameters, and dependencies.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is module name |
version | str | Version is module version string |
sourceVersion | str | SourceVersion is the source code version identifier |
path | str | Path is the filesystem path to the .ko kernel object file (absolute path) |
description | str | Description is a human-readable module description |
author | str | Author is module author name and email |
license | str | License is module license (e.g. GPL, BSD) which must be compatible with kernel |
kernelVersion | str | KernelVersion is kernel version this module was built for |
versionMagic | str | VersionMagic is version magic string for compatibility checking (includes kernel version, SMP status, module loading capabilities like "3.17.4-302.fc21.x86_64 SMP mod_unload modversions"). Module will NOT load if vermagic doesn't match running kernel. |
parameters | obj | Parameters are the module parameters that can be configured at load time (user-settable values like module options) |
LuarocksPackage
Represents a Lua package managed by the LuaRocks package manager with metadata from .rockspec files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the .rockspec file |
version | str | Version is the package version as found in the .rockspec file |
license | str | License is license identifier |
homepage | str | Homepage is project homepage URL |
description | str | Description is a human-readable package description |
url | str | URL is the source download URL |
dependencies | obj | Dependencies are the map of dependency names to version constraints |
NixStoreEntry
Represents a package in the Nix store (/nix/store) with its derivation information and metadata.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is full store path for this output (e.g. /nix/store/abc123...-package-1.0) |
output | str | Output is the specific output name for multi-output packages (empty string for default "out" output, can be "bin", "dev", "doc", etc.) |
outputHash | str | OutputHash is hash prefix of the store path basename (first part before the dash) |
derivation | NixDerivation | Derivation is information about the .drv file that describes how this package was built |
files | Array<str> | Files are the list of files under the nix/store path for this package |
NixDerivation
Represents a Nix .drv file that describes how to build a package including inputs, outputs, and build instructions.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the .drv file in Nix store |
system | str | System is target system string indicating where derivation can be built (e.g. "x86_64-linux", "aarch64-darwin"). Must match current system for local builds. |
inputDerivations | Array<NixDerivationReference> | InputDerivations are the list of other derivations that were inputs to this build (dependencies) |
inputSources | Array<str> | InputSources are the list of source file paths that were inputs to this build |
NixDerivationReference
Represents a reference to another derivation used as a build input or runtime dependency.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the referenced .drv file |
outputs | Array<str> | Outputs are which outputs of the referenced derivation were used (e.g. ["out"], ["bin", "dev"]) |
OpamPackage
Represents an OCaml package managed by the OPAM package manager with metadata from .opam files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the .opam file |
version | str | Version is the package version as found in the .opam file |
licenses | Array<str> | Licenses are the list of applicable licenses |
url | str | URL is download URL for the package source |
checksum | Array<str> | Checksums are the list of checksums for verification |
homepage | str | Homepage is project homepage URL |
dependencies | Array<str> | Dependencies are the list of required dependencies |
PeBinary
Represents metadata captured from a Portable Executable formatted binary (dll, exe, etc.)
| Field Name | Type | Description |
|---|---|---|
VersionResources | KeyValues | VersionResources contains key-value pairs extracted from the PE file's version resource section (e.g., FileVersion, ProductName, CompanyName). |
PhpComposerInstalledEntry
Represents a single package entry from a composer v1/v2 "installed.json" files (very similar to composer.lock files).
| Field Name | Type | Description |
|---|---|---|
name | str | Name is package name in vendor/package format (e.g. symfony/console) |
version | str | Version is the package version |
source | PhpComposerExternalReference | Source is the source repository information for development (typically git repo, used when passing --prefer-source). Originates from source code repository. |
dist | PhpComposerExternalReference | Dist is distribution archive information for production (typically zip/tar, default install method). Packaged version of released code. |
require | obj | Require is runtime dependencies with version constraints (package will not install unless these requirements can be met) |
provide | obj | Provide is virtual packages/functionality provided by this package (allows other packages to depend on capabilities) |
require-dev | obj | RequireDev is development-only dependencies (not installed in production, only when developing this package or running tests) |
suggest | obj | Suggest is optional but recommended dependencies (suggestions for packages that would extend functionality) |
license | Array<str> | License is the list of license identifiers (SPDX format) |
type | str | Type is package type indicating purpose (library=reusable code, project=application, metapackage=aggregates dependencies, etc.) |
notification-url | str | NotificationURL is the URL to notify when package is installed (for tracking/statistics) |
bin | Array<str> | Bin is the list of binary/executable files that should be added to PATH |
authors | Array<PhpComposerAuthors> | Authors are the list of package authors with name/email/homepage |
description | str | Description is a human-readable package description |
homepage | str | Homepage is project homepage URL |
keywords | Array<str> | Keywords are the list of keywords for package discovery/search |
time | str | Time is timestamp when this package version was released |
PhpComposerAuthors
Represents author information for a PHP Composer package from the authors field in composer.json.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is author's full name |
email | str | Email is author's email address |
homepage | str | Homepage is author's personal or company website |
PhpComposerExternalReference
Represents source or distribution information for a PHP package, indicating where the package code is retrieved from.
| Field Name | Type | Description |
|---|---|---|
type | str | Type is reference type (git for source VCS, zip/tar for dist archives) |
url | str | URL is the URL to the resource (git repository URL or archive download URL) |
reference | str | Reference is git commit hash or version tag for source, or archive version for dist |
shasum | str | Shasum is SHA hash of the archive file for integrity verification (dist only) |
PhpComposerLockEntry
Represents a single package entry found from a composer.lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is package name in vendor/package format (e.g. symfony/console) |
version | str | Version is the package version |
source | PhpComposerExternalReference | Source is the source repository information for development (typically git repo, used when passing --prefer-source). Originates from source code repository. |
dist | PhpComposerExternalReference | Dist is distribution archive information for production (typically zip/tar, default install method). Packaged version of released code. |
require | obj | Require is runtime dependencies with version constraints (package will not install unless these requirements can be met) |
provide | obj | Provide is virtual packages/functionality provided by this package (allows other packages to depend on capabilities) |
require-dev | obj | RequireDev is development-only dependencies (not installed in production, only when developing this package or running tests) |
suggest | obj | Suggest is optional but recommended dependencies (suggestions for packages that would extend functionality) |
license | Array<str> | License is the list of license identifiers (SPDX format) |
type | str | Type is package type indicating purpose (library=reusable code, project=application, metapackage=aggregates dependencies, etc.) |
notification-url | str | NotificationURL is the URL to notify when package is installed (for tracking/statistics) |
bin | Array<str> | Bin is the list of binary/executable files that should be added to PATH |
authors | Array<PhpComposerAuthors> | Authors are the list of package authors with name/email/homepage |
description | str | Description is a human-readable package description |
homepage | str | Homepage is project homepage URL |
keywords | Array<str> | Keywords are the list of keywords for package discovery/search |
time | str | Time is timestamp when this package version was released |
PhpComposerAuthors
Represents author information for a PHP Composer package from the authors field in composer.json.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is author's full name |
email | str | Email is author's email address |
homepage | str | Homepage is author's personal or company website |
PhpComposerExternalReference
Represents source or distribution information for a PHP package, indicating where the package code is retrieved from.
| Field Name | Type | Description |
|---|---|---|
type | str | Type is reference type (git for source VCS, zip/tar for dist archives) |
url | str | URL is the URL to the resource (git repository URL or archive download URL) |
reference | str | Reference is git commit hash or version tag for source, or archive version for dist |
shasum | str | Shasum is SHA hash of the archive file for integrity verification (dist only) |
PhpPearEntry
Represents a single package entry found within php pear metadata files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name |
channel | str | Channel is PEAR channel this package is from |
version | str | Version is the package version |
license | Array<str> | License is the list of applicable licenses |
PhpPeclEntry
Represents a single package entry found within php pecl metadata files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name |
channel | str | Channel is PEAR channel this package is from |
version | str | Version is the package version |
license | Array<str> | License is the list of applicable licenses |
PortageDbEntry
PortageEntry represents a single package entry in the portage DB flat-file store.
| Field Name | Type | Description |
|---|---|---|
installedSize | int | InstalledSize is total size of installed files in bytes |
licenses | str | Licenses is license string which may be an expression (e.g. "GPL-2 OR Apache-2.0") |
files | Array<PortageFileRecord> | Files are the files installed by this package (tracked in CONTENTS file) |
PortageFileRecord
Represents a single file attributed to a portage package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
digest | Digest | Digest is file content hash (MD5 for regular files in CONTENTS format: "obj filename md5hash mtime") |
PythonPackage
Represents all captured data for a python egg or wheel package (specifically as outlined in the PyPA core metadata specification https://packaging.python.org/en/latest/specifications/core-metadata/).
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name from the Name field in PKG-INFO or METADATA. |
version | str | Version is the package version from the Version field in PKG-INFO or METADATA. |
author | str | Author is the package author name from the Author field. |
authorEmail | str | AuthorEmail is the package author's email address from the Author-Email field. |
platform | str | Platform indicates the target platform for the package (e.g., "any", "linux", "win32"). |
files | Array<PythonFileRecord> | Files are the installed files listed in the RECORD file for wheels or installed-files.txt for eggs. |
sitePackagesRootPath | str | SitePackagesRootPath is the root directory path containing the package (e.g., "/usr/lib/python3.9/site-packages"). |
topLevelPackages | Array<str> | TopLevelPackages are the top-level Python module names from top_level.txt file. |
directUrlOrigin | PythonDirectURLOriginInfo | DirectURLOrigin contains VCS or direct URL installation information from direct_url.json. |
requiresPython | str | RequiresPython specifies the Python version requirement (e.g., ">=3.6"). |
requiresDist | Array<str> | RequiresDist lists the package dependencies with version specifiers from Requires-Dist fields. |
providesExtra | Array<str> | ProvidesExtra lists optional feature names that can be installed via extras (e.g., "dev", "test"). |
PythonDirectURLOriginInfo
Represents installation source metadata from direct_url.json for packages installed from VCS or direct URLs.
| Field Name | Type | Description |
|---|---|---|
url | str | URL is the source URL from which the package was installed. |
commitId | str | CommitID is the VCS commit hash if installed from version control. |
vcs | str | VCS is the version control system type (e.g., "git", "hg"). |
PythonFileDigest
Represents the file metadata for a single file attributed to a python package.
| Field Name | Type | Description |
|---|---|---|
algorithm | str | Algorithm is the hash algorithm used (e.g., "sha256"). |
value | str | Value is the hex-encoded hash digest value. |
PythonFileRecord
Represents a single entry within a RECORD file for a python wheel or egg package
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the installed file path from the RECORD file. |
digest | PythonFileDigest | Digest contains the hash algorithm and value for file integrity verification. |
size | str | Size is the file size in bytes as a string. |
PythonPdmLockEntry
Represents a single package entry within a pdm.lock file.
| Field Name | Type | Description |
|---|---|---|
summary | str | Summary provides a description of the package |
files | Array<PythonPdmFileEntry> | Files are the package files with their paths and hash digests (for the base package without extras) |
marker | str | Marker is the "environment" --conditional expressions that determine whether a package should be installed based on the runtime environment |
requiresPython | str | RequiresPython specifies the Python version requirement (e.g., ">=3.6"). |
dependencies | Array<str> | Dependencies are the dependency specifications for the base package (without extras) |
extras | Array<PythonPdmLockExtraVariant> | Extras contains variants for different extras combinations (PDM may have multiple entries per package) |
PythonFileDigest
Represents the file metadata for a single file attributed to a python package.
| Field Name | Type | Description |
|---|---|---|
algorithm | str | Algorithm is the hash algorithm used (e.g., "sha256"). |
value | str | Value is the hex-encoded hash digest value. |
PythonPdmFileEntry
| Field Name | Type | Description |
|---|---|---|
url | str | URL is the file download URL |
digest | PythonFileDigest | Digest is the hash digest of the file hosted at the URL |
PythonPdmLockExtraVariant
Represents a specific extras combination variant within a PDM lock file.
| Field Name | Type | Description |
|---|---|---|
extras | Array<str> | Extras are the optional extras enabled for this variant (e.g., ["toml"], ["dev"], or ["toml", "dev"]) |
dependencies | Array<str> | Dependencies are the dependencies specific to this extras variant |
files | Array<PythonPdmFileEntry> | Files are the package files specific to this variant (only populated if different from base) |
marker | str | Marker is the environment conditional expression for this variant (e.g., "python_version < \"3.11\"") |
PythonPipRequirementsEntry
PythonRequirementsEntry represents a single entry within a [*-]requirements.txt file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name from the requirements file. |
extras | Array<str> | Extras are the optional features to install from the package (e.g., package[dev,test]). |
versionConstraint | str | VersionConstraint specifies version requirements (e.g., ">=1.0,<2.0"). |
url | str | URL is the direct download URL or VCS URL if specified instead of a PyPI package. |
markers | str | Markers are environment marker expressions for conditional installation (e.g., "python_version >= '3.8'"). |
PythonPipfileLockEntry
Represents a single package entry within a Pipfile.lock file.
| Field Name | Type | Description |
|---|---|---|
hashes | Array<str> | Hashes are the package file hash values in the format "algorithm:digest" for integrity verification. |
index | str | Index is the PyPI index name where the package should be fetched from. |
PythonPoetryLockEntry
Represents a single package entry within a Pipfile.lock file.
| Field Name | Type | Description |
|---|---|---|
index | str | Index is the package repository name where the package should be fetched from. |
dependencies | Array<PythonPoetryLockDependencyEntry> | Dependencies are the package's runtime dependencies with version constraints. |
extras | Array<PythonPoetryLockExtraEntry> | Extras are optional feature groups that include additional dependencies. |
PythonPoetryLockDependencyEntry
Represents a single dependency entry within a Poetry lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the dependency package name. |
version | str | Version is the locked version or version constraint for the dependency. |
optional | bool | Optional indicates whether this dependency is optional (only needed for certain extras). |
markers | str | Markers are environment marker expressions that conditionally enable the dependency (e.g., "python_version >= '3.8'"). |
extras | Array<str> | Extras are the optional feature names from the dependency that should be installed. |
PythonPoetryLockExtraEntry
Represents an optional feature group in a Poetry lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the optional feature name (e.g., "dev", "test"). |
dependencies | Array<str> | Dependencies are the package names required when this extra is installed. |
PythonUvLockEntry
Represents a single package entry within a uv.lock file.
| Field Name | Type | Description |
|---|---|---|
index | str | Index is the package repository name where the package should be fetched from. |
dependencies | Array<PythonUvLockDependencyEntry> | Dependencies are the package's runtime dependencies with version constraints. |
extras | Array<PythonUvLockExtraEntry> | Extras are optional feature groups that include additional dependencies. |
PythonUvLockDependencyEntry
Represents a single dependency entry within a uv lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the dependency package name. |
optional | bool | Optional indicates whether this dependency is optional (only needed for certain extras). |
markers | str | Markers are environment marker expressions that conditionally enable the dependency (e.g., "python_version >= '3.8'"). |
extras | Array<str> | Extras are the optional feature names from the dependency that should be installed. |
PythonUvLockExtraEntry
Represents an optional feature group in a uv lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the optional feature name (e.g., "dev", "test"). |
dependencies | Array<str> | Dependencies are the package names required when this extra is installed. |
RDescription
Represents metadata from an R package DESCRIPTION file containing package information, dependencies, and author details.
| Field Name | Type | Description |
|---|---|---|
title | str | Title is short one-line package title |
description | str | Description is detailed package description |
author | str | Author is package author(s) |
maintainer | str | Maintainer is current package maintainer |
url | Array<str> | URL is the list of related URLs |
repository | str | Repository is CRAN or other repository name |
built | str | Built is R version and platform this was built with |
needsCompilation | bool | NeedsCompilation is whether this package requires compilation |
imports | Array<str> | Imports are the packages imported in the NAMESPACE |
depends | Array<str> | Depends are the packages this package depends on |
suggests | Array<str> | Suggests are the optional packages that extend functionality |
RpmArchive
Represents package metadata extracted directly from a .rpm archive file, containing the same information as an RPM database entry.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the RPM package name as found in the RPM database. |
version | str | Version is the upstream version of the package. |
epoch | int | null | |
architecture | str | Arch is the target CPU architecture (e.g., "x86_64", "aarch64", "noarch"). |
release | str | Release is the package release number or distribution-specific version suffix. |
sourceRpm | str | SourceRpm is the source RPM filename that was used to build this package. |
signatures | Array<RpmSignature> | Signatures contains GPG signature metadata for package verification. |
size | int | Size is the total installed size of the package in bytes. |
vendor | str | Vendor is the organization that packaged the software. |
modularityLabel | str | ModularityLabel identifies the module stream for modular RPM packages (e.g., "nodejs:12:20200101"). |
provides | Array<str> | Provides lists the virtual packages and capabilities this package provides. |
requires | Array<str> | Requires lists the dependencies required by this package. |
files | Array<RpmFileRecord> | Files are the file records for all files owned by this package. |
RpmFileRecord
Represents the file metadata for a single file attributed to a RPM package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the absolute file path where the file is installed. |
mode | int | Mode is the file permission mode bits following Unix stat.h conventions. |
size | int | Size is the file size in bytes. |
digest | Digest | Digest contains the hash algorithm and value for file integrity verification. |
userName | str | UserName is the owner username for the file. |
groupName | str | GroupName is the group name for the file. |
flags | str | Flags indicates the file type (e.g., "%config", "%doc", "%ghost"). |
RpmSignature
Represents a GPG signature for an RPM package used for authenticity verification.
| Field Name | Type | Description |
|---|---|---|
algo | str | PublicKeyAlgorithm is the public key algorithm used for signing (e.g., "RSA"). |
hash | str | HashAlgorithm is the hash algorithm used for the signature (e.g., "SHA256"). |
created | str | Created is the timestamp when the signature was created. |
issuer | str | IssuerKeyID is the GPG key ID that created the signature. |
RpmDbEntry
Represents all captured data from a RPM DB package entry.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the RPM package name as found in the RPM database. |
version | str | Version is the upstream version of the package. |
epoch | int | null | |
architecture | str | Arch is the target CPU architecture (e.g., "x86_64", "aarch64", "noarch"). |
release | str | Release is the package release number or distribution-specific version suffix. |
sourceRpm | str | SourceRpm is the source RPM filename that was used to build this package. |
signatures | Array<RpmSignature> | Signatures contains GPG signature metadata for package verification. |
size | int | Size is the total installed size of the package in bytes. |
vendor | str | Vendor is the organization that packaged the software. |
modularityLabel | str | ModularityLabel identifies the module stream for modular RPM packages (e.g., "nodejs:12:20200101"). |
provides | Array<str> | Provides lists the virtual packages and capabilities this package provides. |
requires | Array<str> | Requires lists the dependencies required by this package. |
files | Array<RpmFileRecord> | Files are the file records for all files owned by this package. |
RpmFileRecord
Represents the file metadata for a single file attributed to a RPM package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the absolute file path where the file is installed. |
mode | int | Mode is the file permission mode bits following Unix stat.h conventions. |
size | int | Size is the file size in bytes. |
digest | Digest | Digest contains the hash algorithm and value for file integrity verification. |
userName | str | UserName is the owner username for the file. |
groupName | str | GroupName is the group name for the file. |
flags | str | Flags indicates the file type (e.g., "%config", "%doc", "%ghost"). |
RpmSignature
Represents a GPG signature for an RPM package used for authenticity verification.
| Field Name | Type | Description |
|---|---|---|
algo | str | PublicKeyAlgorithm is the public key algorithm used for signing (e.g., "RSA"). |
hash | str | HashAlgorithm is the hash algorithm used for the signature (e.g., "SHA256"). |
created | str | Created is the timestamp when the signature was created. |
issuer | str | IssuerKeyID is the GPG key ID that created the signature. |
RubyGemspec
Represents all metadata parsed from the *.gemspec file
| Field Name | Type | Description |
|---|---|---|
name | str | Name is gem name as specified in the gemspec |
version | str | Version is gem version as specified in the gemspec |
files | Array<str> | Files is logical list of files in the gem (NOT directly usable as filesystem paths. Example: bundler gem lists "lib/bundler/vendor/uri/lib/uri/ldap.rb" but actual path is "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb". Would need gem installation path, ruby version, and env vars like GEM_HOME to resolve actual paths.) |
authors | Array<str> | Authors are the list of gem authors (stored as array regardless of using `author` or `authors` method in gemspec) |
homepage | str | Homepage is project homepage URL |
RustCargoAuditEntry
RustBinaryAuditEntry represents Rust crate metadata extracted from a compiled binary using cargo-auditable format.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is crate name as specified in audit section of the build binary |
version | str | Version is crate version as specified in audit section of the build binary |
source | str | Source is the source registry or repository where this crate came from |
RustCargoLockEntry
Represents a locked dependency from a Cargo.lock file with precise version and checksum information.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is crate name as specified in Cargo.toml |
version | str | Version is crate version as specified in Cargo.toml |
source | str | Source is the source registry or repository URL in format "registry+https://github.com/rust-lang/crates.io-index" for registry packages |
checksum | str | Checksum is content checksum for registry packages only (hexadecimal string). Cargo doesn't require or include checksums for git dependencies. Used to detect MITM attacks by verifying downloaded crate matches lockfile checksum. |
dependencies | Array<str> | Dependencies are the list of dependencies with version constraints |
SnapEntry
Represents metadata for a Snap package extracted from snap.yaml or snapcraft.yaml files.
| Field Name | Type | Description |
|---|---|---|
snapType | str | SnapType indicates the snap type (base, kernel, app, gadget, or snapd). |
base | str | Base is the base snap name that this snap depends on (e.g., "core20", "core22"). |
snapName | str | SnapName is the snap package name. |
snapVersion | str | SnapVersion is the snap package version. |
architecture | str | Architecture is the target CPU architecture (e.g., "amd64", "arm64"). |
SwiftPackageManagerLockEntry
SwiftPackageManagerResolvedEntry represents a resolved dependency from a Package.resolved file with its locked version and source location.
| Field Name | Type | Description |
|---|---|---|
revision | str | Revision is git commit hash of the resolved package |
SwiplpackPackage
SwiplPackEntry represents a SWI-Prolog package from the pack system with metadata about the package and its dependencies.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the .toml file |
version | str | Version is the package version as found in the .toml file |
author | str | Author is author name |
authorEmail | str | AuthorEmail is author email address |
packager | str | Packager is packager name (if different from author) |
packagerEmail | str | PackagerEmail is packager email address |
homepage | str | Homepage is project homepage URL |
dependencies | Array<str> | Dependencies are the list of required dependencies |
TerraformLockProviderEntry
Represents a single provider entry in a Terraform dependency lock file (.terraform.lock.hcl).
| Field Name | Type | Description |
|---|---|---|
url | str | URL is the provider source address (e.g., "registry.terraform.io/hashicorp/aws"). |
constraints | str | Constraints specifies the version constraints for the provider (e.g., "~> 4.0"). |
version | str | Version is the locked provider version selected during terraform init. |
hashes | Array<str> | Hashes are cryptographic checksums for the provider plugin archives across different platforms. |
WordpressPluginEntry
Represents all metadata parsed from the wordpress plugin file
| Field Name | Type | Description |
|---|---|---|
pluginInstallDirectory | str | PluginInstallDirectory is directory name where the plugin is installed |
author | str | Author is plugin author name |
authorUri | str | AuthorURI is author's website URL |
0.104.0.A vulnerability scanner for container images, filesystems, and SBOMs.
Supports the following image sources:
grype yourrepo/yourimage:tag defaults to using images from a Docker daemon
grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon
grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon
grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)
grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
grype dir:path/to/yourproject read directly from a path on disk (any directory)
grype file:path/to/yourfile read directly from a file on disk
grype sbom:path/to/syft.json read Syft JSON from path on disk
grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
grype purl:path/to/purl/file read a newline separated file of package URLs from a path on disk
grype PURL read a single package PURL directly (e.g. pkg:apk/openssl@3.2.1?distro=alpine-3.20.3)
grype CPE read a single CPE directly (e.g. cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*)
You can also pipe in Syft JSON directly:
syft yourimage:tag -o json | grype
Usage:
grype [IMAGE] [flags]
grype [command]
Available Commands:
completion Generate a shell completion for Grype (listing local docker images)
config show the grype configuration
db vulnerability database operations
explain Ask grype to explain a set of findings
help Help about any command
version show version information
Flags:
--add-cpes-if-none generate CPEs for packages with no CPE data
--by-cve orient results by CVE instead of the original vulnerability ID when possible
-c, --config stringArray grype configuration file(s) to use
--distro string distro to match against in the format: <distro>[-:@]<version>
--exclude stringArray exclude paths from being scanned using a glob expression
-f, --fail-on string set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
--file string file to write the default report output to (default is STDOUT)
--from stringArray specify the source behavior to use (e.g. docker, registry, podman, oci-dir, ...)
-h, --help help for grype
--ignore-states string ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
--name string set the name of the target being analyzed
--only-fixed ignore matches for vulnerabilities that are not fixed
--only-notfixed ignore matches for vulnerabilities that are fixed
-o, --output stringArray report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to analyze, options=[squashed all-layers deep-squashed] (default "squashed")
--show-suppressed show suppressed/ignored vulnerabilities in the output (only supported with table output format)
--sort-by string sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (default "risk")
-t, --template string specify the path to a Go template file (requires 'template' output to be selected)
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for grype
--vex stringArray a list of VEX documents to consider when producing scanning results
Use "grype [command] --help" for more information about a command.
grype config
Show the grype configuration.
Usage:
grype config [flags]
grype config [command]
Available Commands:
locations shows all locations and the order in which grype will look for a configuration file
Flags:
-h, --help help for config
--load load and validate the grype configuration
grype db check
Check to see if there is a database update available.
Usage:
grype db check [flags]
Flags:
-h, --help help for check
-o, --output string format to display results (available=[text, json]) (default "text")
grype db delete
Delete the vulnerability database.
Usage:
grype db delete [flags]
Flags:
-h, --help help for delete
grype db import
Import a vulnerability database archive from a local FILE or URL.
DB archives can be obtained from “https://grype.anchore.io/databases" (or running db list). If the URL has a checksum query parameter with a fully qualified digest (e.g. ‘sha256:abc728…’) then the archive/DB will be verified against this value.
Usage:
grype db import FILE | URL [flags]
Flags:
-h, --help help for import
grype db list
List all DBs available according to the listing URL.
Usage:
grype db list [flags]
Flags:
-h, --help help for list
-o, --output string format to display results (available=[text, raw, json]) (default "text")
grype db providers
List vulnerability providers that are in the database.
Usage:
grype db providers [flags]
Flags:
-h, --help help for providers
-o, --output string format to display results (available=[table, json]) (default "table")
grype db search
Search the DB for vulnerabilities or affected packages.
Usage:
grype db search [flags]
grype db search [command]
Examples:
Search for affected packages by vulnerability ID:
$ grype db search --vuln ELSA-2023-12205
Search for affected packages by package name:
$ grype db search --pkg log4j
Search for affected packages by package name, filtering down to a specific vulnerability:
$ grype db search --pkg log4j --vuln CVE-2021-44228
Search for affected packages by PURL (note: version is not considered):
$ grype db search --pkg 'pkg:rpm/redhat/openssl' # or: '--ecosystem rpm --pkg openssl
Search for affected packages by CPE (note: version/update is not considered):
$ grype db search --pkg 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*:*:*'
$ grype db search --pkg 'cpe:/a:jetty:jetty_http_server'
Available Commands:
vuln Search for vulnerabilities within the DB (supports DB schema v6+ only)
Flags:
--broad-cpe-matching allow for specific package CPE attributes to match with '*' values on the vulnerability
--distro stringArray refine to results with the given operating system (format: 'name', 'name[-:@]version', 'name[-:@]maj.min', 'name[-:@]codename')
--ecosystem string ecosystem of the package to search within
--fixed-state stringArray only show vulnerabilities with the given fix state (fixed, not-fixed, unknown, wont-fix)
-h, --help help for search
--limit int limit the number of results returned, use 0 for no limit (default 5000)
--modified-after string only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD)
-o, --output string format to display results (available=[table, json]) (default "table")
--pkg stringArray package name/CPE/PURL to search for
--provider stringArray only show vulnerabilities from the given provider
--published-after string only show vulnerabilities originally published after the given date (format: YYYY-MM-DD)
--vuln stringArray only show results for the given vulnerability ID
grype db status
Display database status and metadata.
Usage:
grype db status [flags]
Flags:
-h, --help help for status
-o, --output string format to display results (available=[text, json]) (default "text")
grype db update
Download and install the latest vulnerability database.
Usage:
grype db update [flags]
Flags:
-h, --help help for update
grype explain
Ask grype to explain a set of findings.
Usage:
grype explain --id [VULNERABILITY ID] [flags]
Flags:
-h, --help help for explain
--id stringArray CVE IDs to explain
grype version
Show version information.
Usage:
grype version [flags]
Flags:
-h, --help help for version
-o, --output string the format to show the results (allowable: [text json]) (default "text")
0.104.0.Grype searches for configuration files in the following locations, in order:
./.grype.yaml - current working directory./.grype/config.yaml - app subdirectory in current working directory~/.grype.yaml - home directory$XDG_CONFIG_HOME/grype/config.yaml - XDG config directoryThe configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
For general information about how config and environment variables are handled, see the Configuration Reference section.
log:
# suppress all logging output (env: GRYPE_LOG_QUIET)
quiet: false
# explicitly set the logging level (available: [error warn info debug trace]) (env: GRYPE_LOG_LEVEL)
level: "warn"
# file path to write logs to (env: GRYPE_LOG_FILE)
file: ""
dev:
# capture resource profiling data (available: [cpu, mem]) (env: GRYPE_DEV_PROFILE)
profile: ""
db:
# (env: GRYPE_DEV_DB_DEBUG)
debug: false
# the output format of the vulnerability report (options: table, template, json, cyclonedx)
# when using template as the output type, you must also provide a value for 'output-template-file' (env: GRYPE_OUTPUT)
output: []
# if using template output, you must provide a path to a Go template file
# see https://github.com/anchore/grype#using-templates for more information on template output
# the default path to the template file is the current working directory
# output-template-file: .grype/html.tmpl
#
# write output report to a file (default is to write to stdout) (env: GRYPE_FILE)
file: ""
# pretty-print output (env: GRYPE_PRETTY)
pretty: false
# distro to match against in the format: <distro>[-:@]<version> (env: GRYPE_DISTRO)
distro: ""
# generate CPEs for packages with no CPE data (env: GRYPE_ADD_CPES_IF_NONE)
add-cpes-if-none: false
# specify the path to a Go template file (requires 'template' output to be selected) (env: GRYPE_OUTPUT_TEMPLATE_FILE)
output-template-file: ""
# enable/disable checking for application updates on startup (env: GRYPE_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# ignore matches for vulnerabilities that are not fixed (env: GRYPE_ONLY_FIXED)
only-fixed: false
# ignore matches for vulnerabilities that are fixed (env: GRYPE_ONLY_NOTFIXED)
only-notfixed: false
# ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix] (env: GRYPE_IGNORE_WONTFIX)
ignore-wontfix: ""
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: GRYPE_PLATFORM)
platform: ""
search:
# selection of layers to analyze, options=[squashed all-layers deep-squashed] (env: GRYPE_SEARCH_SCOPE)
scope: "squashed"
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_UNINDEXED_ARCHIVES)
unindexed-archives: false
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_INDEXED_ARCHIVES)
indexed-archives: true
# A list of vulnerability ignore rules, one or more property may be specified and all matching vulnerabilities will be ignored.
# This is the full set of supported rule fields:
# - vulnerability: CVE-2008-4318
# fix-state: unknown
# package:
# name: libcurl
# version: 1.5.1
# type: npm
# location: "/usr/local/lib/node_modules/**"
#
# VEX fields apply when Grype reads vex data:
# - vex-status: not_affected
# vex-justification: vulnerable_code_not_present
ignore: []
# a list of globs to exclude from scanning, for example:
# - '/etc/**'
# - './out/**/*.json'
# same as --exclude (env: GRYPE_EXCLUDE)
exclude: []
external-sources:
# enable Grype searching network source for additional information (env: GRYPE_EXTERNAL_SOURCES_ENABLE)
enable: false
maven:
# search for Maven artifacts by SHA1 (env: GRYPE_EXTERNAL_SOURCES_MAVEN_SEARCH_MAVEN_UPSTREAM)
search-maven-upstream: true
# base URL of the Maven repository to search (env: GRYPE_EXTERNAL_SOURCES_MAVEN_BASE_URL)
base-url: "https://search.maven.org/solrsearch/select"
# (env: GRYPE_EXTERNAL_SOURCES_MAVEN_RATE_LIMIT)
rate-limit: 300ms
match:
java:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVA_USING_CPES)
using-cpes: false
jvm:
# (env: GRYPE_MATCH_JVM_USING_CPES)
using-cpes: true
dotnet:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_DOTNET_USING_CPES)
using-cpes: false
golang:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_GOLANG_USING_CPES)
using-cpes: false
# use CPE matching to find vulnerabilities for the Go standard library (env: GRYPE_MATCH_GOLANG_ALWAYS_USE_CPE_FOR_STDLIB)
always-use-cpe-for-stdlib: true
# allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...) (env: GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON)
allow-main-module-pseudo-version-comparison: false
javascript:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVASCRIPT_USING_CPES)
using-cpes: false
python:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_PYTHON_USING_CPES)
using-cpes: false
ruby:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUBY_USING_CPES)
using-cpes: false
rust:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUST_USING_CPES)
using-cpes: false
stock:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_STOCK_USING_CPES)
using-cpes: true
# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical) (env: GRYPE_FAIL_ON_SEVERITY)
fail-on-severity: ""
registry:
# skip TLS verification when communicating with the registry (env: GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry (env: GRYPE_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
# Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
# - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
# username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
# password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
# token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
# tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
# tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
auth: []
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: GRYPE_REGISTRY_CA_CERT)
ca-cert: ""
# show suppressed/ignored vulnerabilities in the output (only supported with table output format) (env: GRYPE_SHOW_SUPPRESSED)
show-suppressed: false
# orient results by CVE instead of the original vulnerability ID when possible (env: GRYPE_BY_CVE)
by-cve: false
# sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (env: GRYPE_SORT_BY)
sort-by: "risk"
# same as --name; set the name of the target being analyzed (env: GRYPE_NAME)
name: ""
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: GRYPE_DEFAULT_IMAGE_PULL_SOURCE)
default-image-pull-source: ""
# specify the source behavior to use (e.g. docker, registry, podman, oci-dir, ...) (env: GRYPE_FROM)
from: []
# a list of VEX documents to consider when producing scanning results (env: GRYPE_VEX_DOCUMENTS)
vex-documents: []
# VEX statuses to consider as ignored rules (env: GRYPE_VEX_ADD)
vex-add: []
# match kernel-header packages with upstream kernel as kernel vulnerabilities (env: GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS)
match-upstream-kernel-headers: false
fix-channel:
redhat-eus:
# whether fixes from this channel should be considered, options are "never", "always", or "auto" (conditionally applied based on SBOM data) (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_APPLY)
apply: "auto"
# (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_VERSIONS)
versions: ">= 8.0"
# (env: GRYPE_TIMESTAMP)
timestamp: true
db:
# location to write the vulnerability database cache (env: GRYPE_DB_CACHE_DIR)
cache-dir: "~/.cache/grype/db"
# URL of the vulnerability database (env: GRYPE_DB_UPDATE_URL)
update-url: "https://grype.anchore.io/databases"
# certificate to trust download the database and listing file (env: GRYPE_DB_CA_CERT)
ca-cert: ""
# check for database updates on execution (env: GRYPE_DB_AUTO_UPDATE)
auto-update: true
# validate the database matches the known hash each execution (env: GRYPE_DB_VALIDATE_BY_HASH_ON_START)
validate-by-hash-on-start: true
# ensure db build is no older than the max-allowed-built-age (env: GRYPE_DB_VALIDATE_AGE)
validate-age: true
# Max allowed age for vulnerability database,
# age being the time since it was built
# Default max age is 120h (or five days) (env: GRYPE_DB_MAX_ALLOWED_BUILT_AGE)
max-allowed-built-age: 120h0m0s
# fail the scan if unable to check for database updates (env: GRYPE_DB_REQUIRE_UPDATE_CHECK)
require-update-check: false
# Timeout for downloading GRYPE_DB_UPDATE_URL to see if the database needs to be downloaded
# This file is ~156KiB as of 2024-04-17 so the download should be quick; adjust as needed (env: GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT)
update-available-timeout: 30s
# Timeout for downloading actual vulnerability DB
# The DB is ~156MB as of 2024-04-17 so slower connections may exceed the default timeout; adjust as needed (env: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT)
update-download-timeout: 5m0s
# Maximum frequency to check for vulnerability database updates (env: GRYPE_DB_MAX_UPDATE_CHECK_FREQUENCY)
max-update-check-frequency: 2h0m0s
exp:
0.5.1.Grant helps you view licenses for container images, SBOM documents, and filesystems. Apply filters and views that can help you build a picture of licenses in your SBOM.
Usage:
grant [command]
Available Commands:
check Check license compliance for one or more targets
completion Generate the autocompletion script for the specified shell
config Generate a comprehensive configuration file
help Help about any command
list List licenses found in one or more targets
version Show the version information for grant
Flags:
-c, --config string path to configuration file
-h, --help help for grant
--no-output suppress terminal output when writing to file
-o, --output string output format (table, json) (default "table")
-f, --output-file string write JSON output to file (sets output format to json)
-q, --quiet suppress all non-essential output
-v, --verbose enable verbose output
--version version for grant
Use "grant [command] --help" for more information about a command.
grant check
Check evaluates license compliance for container images, SBOMs, filesystems, and files.
Targets can be:
Container images: alpine:latest, ubuntu:22.04
SBOM files: path/to/sbom.json, path/to/sbom.json
Directories: dir:./project, ./my-app
Archive files: project.tar.gz, source.zip
License files: LICENSE, COPYING
Stdin: - (reads SBOM from stdin)
Exit codes:
0: All targets are compliant
1: One or more targets are non-compliant or an error occurred.
Usage:
grant check [TARGET...] [flags]
Flags:
--disable-file-search disable filesystem license file search
--dry-run run check without returning non-zero exit code on violations
-h, --help help for check
--summary show only summary information
--unlicensed show only packages without licenses
grant config
Generate a complete YAML configuration file with all available Grant options.
This command outputs a comprehensive configuration file that includes:
License policy options (allow lists, ignore patterns)
Command-line options with defaults
Detailed comments explaining each option
The generated configuration can be saved to a file and customized as needed.
Usage:
grant config [flags]
Flags:
-h, --help help for config
-o, --output string output file path (default: stdout)
grant list
List shows all licenses found in container images, SBOMs, filesystems, and files
without applying policy evaluation.
Targets can be:
Container images: alpine:latest, ubuntu:22.04
SBOM files: path/to/sbom.json, path/to/sbom.xml
Directories: dir:./project, ./my-app
Archive files: project.tar.gz, source.zip
License files: LICENSE, COPYING
Stdin: - (reads SBOM from stdin)
When no target is specified and stdin is available (piped input), grant will
automatically read from stdin. This allows usage like:
syft -o json dir:. | grant list Apache-2.0
License filtering:
If license names are provided as additional arguments, only packages with those
specific licenses will be shown. For example:
grant list dir:. “MIT” “Apache-2.0”
syft -o json dir:. | grant list “MIT” “Apache-2.0”
This command always returns exit code 0 unless there are processing errors.
Usage:
grant list [TARGET] [LICENSE...] [flags]
Flags:
--disable-file-search disable filesystem license file search
--group-by string group results by specified field (risk)
-h, --help help for list
--pkg string show detailed information for a specific package (requires license filter)
--unlicensed show only packages without licenses
grant version
Show the version information for grant.
Usage:
grant version [flags]
Flags:
-h, --help help for version
The following are a list of data sources used to directly match packages to vulnerabilities in Grype:
| Data Source | Vunnel Provider | Ecosystems |
|---|---|---|
| AlmaLinux OSV Database | alma | RPM |
| Alpine SecDB | alpine | APK |
| Amazon Linux Security Center | amazon | RPM |
| Microsoft AzureLinux OVAL | mariner | RPM |
| Bitnami Vulnerability Database | bitnami | Bitnami |
| Chainguard Security | chainguard | APK |
| Chainguard Libraries (OpenVEX) | chainguard_libraries | |
| Debian Security Tracker | debian | DPKG |
| ECHO Security | echo | DPKG |
| GitHub Security Advisories | github | .NET, GitHub Actions, Go, Java, JavaScript, Python, Ruby, Rust |
| Microsoft CBL-Mariner OVAL | mariner | RPM |
| MINIMOS Security | minimos | APK |
| National Vulnerability Database (NVD) | nvd | .NET, APK, Go, Java, JavaScript, Python, Ruby, Rust |
| Oracle Linux Security | oracle | RPM |
| Red Hat Security Data API | rhel | RPM |
| SUSE Security OVAL | sles | RPM |
| Ubuntu CVE Tracker | ubuntu | DPKG |
| Wolfi Security | wolfi | APK |
Here are the capabilities of each data source as Grype uses them:
| Data Source | Advisories | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|---|
| Affected | Date | Versions | Date | |||
| AlmaLinux OSV Database | ALSA | |||||
| Alpine SecDB | ||||||
| Amazon Linux Security Center | ALAS | |||||
| Microsoft AzureLinux OVAL | ||||||
| Bitnami Vulnerability Database | ||||||
| Chainguard Security | CGA | |||||
| Chainguard Libraries (OpenVEX) | CGA | |||||
| Debian Security Tracker | DSA | |||||
| ECHO Security | ECHO | |||||
| GitHub Security Advisories | GHSA | |||||
| Microsoft CBL-Mariner OVAL | ||||||
| MINIMOS Security | ||||||
| National Vulnerability Database (NVD) | CVE | |||||
| Oracle Linux Security | ELSA | |||||
| Red Hat Security Data API | RHSA | |||||
| SUSE Security OVAL | SUSE-SU | |||||
| Ubuntu CVE Tracker | USN | |||||
| Wolfi Security | CGA | |||||
We additionally have auxiliary data sources that are used to enhance vulnerability matching in Grype:
| Data Source | Vunnel Provider | Description |
|---|---|---|
| Exploit Prediction Scoring System | epss | Data-driven effort by FIRST to predict the likelihood that a software vulnerability will be exploited. Provides daily-updated probability scores (0-1) and percentile rankings for CVE prioritization. |
| CISA Known Exploited Vulnerabilities | kev | CISA's authoritative catalog of vulnerabilities known to be actively exploited in the wild. Provides exploitation status, required remediation actions, due dates, and ransomware campaign associations. |
These sources are cross-cutting in nature and are not tied to a specific distribution or ecosystem (though, primarily enriching information about CVEs specifically).
0.5.1.Grant searches for configuration files in the following locations, in order:
./.grant.yaml - current working directory./.grant/config.yaml - app subdirectory in current working directory~/.grant.yaml - home directory$XDG_CONFIG_HOME/grant/config.yaml - XDG config directoryThe configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
For general information about how config and environment variables are handled, see the Configuration Reference section.
# Grant License Compliance Configuration
# Complete configuration file with all available options
# See: https://github.com/anchore/grant
format: table # Output format: "table" or "json" (default: "table")
quiet: false # Suppress all non-essential output (default: false)
verbose: false # Enable verbose output (default: false)
# List of allowed license patterns (supports glob matching)
# Default behavior: DENY all licenses except those explicitly permitted
allow:
- MIT
- Apache-2.0
- BSD-3-Clause
# List of package patterns to ignore from license checking
# Supports glob patterns for flexible matching
ignore-packages: []
# Add package patterns to ignore here
# Examples:
# - "github.com/mycompany/*"
# - "internal/*"
# Policy enforcement options
require-license: true # When true, deny packages with no detected licenses
require-known-license: false # When true, deny non-SPDX / unparsable licenses
# ============================================================================
# COMMAND-SPECIFIC OPTIONS
# ============================================================================
disable-file-search: false # Disable filesystem license file search
summary: false # Show only summary information for check command
# Show only packages without licenses (default: false)
only-unlicensed: false # maps to grant check --unlicensed || grant list --unlicensed
All Anchore open source tools (Syft, Grype, Grant) share the same configuration system. This guide explains how to configure these tools using command-line flags, environment variables, and configuration files.
When you configure a tool, settings are applied in a specific order. If the same setting is specified in multiple places, the tool uses the value from the highest-priority source:
-c PATH or --config PATH)For example, if you set the log level using all three methods, the command-line flag overrides the environment variable, which overrides the config file value.
-vv log level prints the entire active configuration at startup, showing you exactly which values are being used.To see available configuration options and current settings:
syft --help — shows all command-line flagssyft config — prints a complete sample configuration filesyft config --load — displays your current active configurationReplace syft with the tool you’re using (grype, grant, etc.).
You can explicitly specify a configuration file using the -c or --config flag,
which overrides the auto-discovery behavior.
syft alpine:latest -c /path/to/config.yaml
grype alpine:latest --config ~/.grype-custom.yaml
grant check . -c ./grant-config.yaml
Syft and Grype support multiple configuration files by specifying the flag multiple times:
syft alpine:latest -c base.yaml -c overrides.yaml
When multiple files are specified, individual settings from later files override earlier ones.
Every configuration option can be set via environment variable. The variable name follows the path to the setting in the configuration file.
Example: To enable pretty-printed JSON output, the config file setting is:
format:
json:
pretty: true
The path from root to this value is format → json → pretty, so the environment variable is:
export SYFT_FORMAT_JSON_PRETTY=true
The pattern is: <TOOL>_<PATH>_<TO>_<SETTING> where:
<TOOL> is the uppercase tool name (SYFT, GRYPE, GRANT)More examples:
# Set log level to debug
export SYFT_LOG_LEVEL=debug
# Configure output format
export GRYPE_OUTPUT=json
# Set registry credentials
export SYFT_REGISTRY_AUTH_USERNAME=myuser
When you don’t specify a configuration file with -c, the tool automatically searches for one.
Configuration files use YAML format. The tool searches these locations in order and uses the first file it finds:
.syft.yaml (in current directory).syft/config.yaml (in current directory)~/.syft.yaml (in home directory)<XDG_CONFIG_HOME>/syft/config.yaml (typically ~/.config/syft/config.yaml)Replace syft with your tool name (grype, grant, etc.).
Anchore’s open source security tooling consists of several interconnected tools that work together to detect vulnerabilities and ensure license compliance in software packages. This page explains how these tools interact and how data flows through the system.
The Anchore OSS ecosystem includes five main tools that, at the 30,000 ft view, work together as follows:
---
config:
layout: dagre
look: handDrawn
theme: default
flowchart:
curve: linear
---
flowchart TD
vunnel["***Vunnel***<br><small>Downloads and normalizes<br>security feeds</small>"]:::Ash
grypedb["***Grype DB***<br><small>Converts feeds to<br>SQLite database</small>"]:::Ash
grype["***Grype***<br><small>Matches vulnerabilities<br>from SBOM + database</small>"]:::Ash
syft["***Syft***<br><small>Generates SBOMs from<br>scan targets</small>"]:::Ash
grant["***Grant***<br><small>Analyzes licenses<br>from SBOM</small>"]:::Ash
vunnel --> grypedb --> grype
syft --> grype & grant
vunnel@{ shape: event}
grypedb@{ shape: event}
grype@{ shape: event}
syft@{ shape: event}
grant@{ shape: event}
classDef Ash stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#e1ffe1, color:#000000Zooming in to the 20,000 ft view, here’s how data flows through the same system:
---
config:
layout: dagre
look: handDrawn
theme: default
flowchart:
curve: linear
---
flowchart TB
feed1["NVD Feed"]
feed2["Alpine Feed"]
feed3["... (20+ feeds)"]
subgraph anchore["<b>Anchore Infrastructure</b>"]
vunnel["Vunnel"]
grypedb["Grype DB"]
cache["Daily DB"]
vunnel --> grypedb --> cache
end
subgraph user["<b>User Environment</b>"]
targets["Image, filesystem,<br>PURLs, directory, ..."]
local["DB Cache"]
syft["Syft"]
sbom["SBOM"]
targets --> syft --> sbom
grype["Grype"]
vulns["Vulnerability+Package<br>Matches"]
grant["Grant"]
licenses["License Compliance<br>Report"]
grype --> vulns
grant --> licenses
sbom --> grype
sbom --> grant
local --> grype
end
feed1 --> vunnel
feed2 --> vunnel
feed3 -.-> vunnel
cache -. "<i>download</i>" .-> local
feed1:::ExternalSource@{ shape: cloud}
feed2:::ExternalSource@{ shape: cloud}
feed3:::ExternalSource@{ shape: cloud}
vunnel:::Application@{ shape: event}
grypedb:::Application@{ shape: event}
grype:::Application@{ shape: event}
syft:::Application@{ shape: event}
grant:::Application@{ shape: event}
targets:::AnalysisInput
cache:::Database@{ shape: db}
local:::Database@{ shape: db}
sbom:::Document@{ shape: doc}
vulns:::Document@{ shape: doc}
licenses:::Document@{ shape: doc}
style anchore fill:none, stroke:#333333, stroke-width:2px, stroke-dasharray:5 5
style user fill:none, stroke:#333333, stroke-width:2px, stroke-dasharray:5 5
classDef AnalysisInput stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#f0f8ff, color:#000000
classDef ExternalSource stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#f0f8ff, color:#000000
classDef Application stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#e1ffe1, color:#000000
classDef Document stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000
classDef Database stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000We use…
This document explains how all of the golang-base Anchore OSS tools are organized, covering the package structure, common core architectural concepts, and where key functionality is implemented.
Use this as a reference when trying to familiarize yourself with the overall structure of Syft, Grype, or other applications.
The cmd package uses the Clio framework (built on top of the spf13/cobra and spf13/viper) to manage flag/argument parsing, configuration, and command execution.
All flags, arguments, and config arguments are represented in the application as a struct. Each command tends to get it’s own struct with all options the command needs to function. Common options or sets of options can be defined independently and reused across commands, being composed within each command struct that needs the option.
Select options that represent flags are registered with the AddFlags method defined on the command struct (or on each option struct used within the command struct).
If any additional processing is needed to be done to elements in command structs or option structs before being used in the application then you can define a PostLoad method on the struct to mutate the elements you need.
In terms of what is executed when: all processing is done within the selected cobra command’s PreRun hook, wrapping any potential user-provided hook.
This means that all of this fits nicely into the existing cobra command lifecycle.
See the sign command in Quill for a small example of all of this together.
The reason for this approach is to smooth over the rough edges between cobra and viper, which have multiple ways to configure and use functionality, and provide a single way to specify any input into the application. Being prescriptive about these approaches has allowed us to take many shared concerns that used to be a lot of boilerplate when creating an application and put it into one framework –Clio.
The following diagrams show the execution of a typical Anchore application at different levels of detail, using the scan command in Syft as a representative example:
sequenceDiagram
actor user as User
participant syft as Syft Application
participant cmd as Command Handler (Cobra)
participant lib as Library
user->>syft: syft scan alpine:latest
syft->>cmd: Execute
cmd->>cmd: Initialize & Load Configuration
cmd->>lib: Execute Scan Logic
lib->>cmd: SBOM
cmd-->>user: Display/Write SBOMsequenceDiagram
actor user as User
box rgba(0,0,0,.1) Syft Application
participant main as main.go
participant cliApp as cli.Application()
participant clio as Clio Framework
end
box rgba(0,0,0,.1) Command Handler
participant cobra as Command PreRunE
participant opts as Command Options
participant runE as Command RunE
end
participant lib as Library
user->>main: syft scan alpine:latest
Note over main,clio: Syft Application (initialization)
main->>cliApp: Create app with ID
cliApp->>clio: clio.New(config)
clio-->>cliApp: app instance
Note over cliApp,cobra: Build Command Tree
cliApp->>cliApp: commands.Scan(app)
cliApp->>clio: app.SetupCommand(&cobra.Command, opts)
Note over clio: Bind config sources to options struct
clio-->>cliApp: configured scanCmd
cliApp->>cliApp: commands.Root(app, scanCmd)
cliApp->>clio: app.SetupRootCommand(&cobra.Command, opts)
clio-->>cliApp: rootCmd with scanCmd attached
main->>clio: app.Run()
clio->>cobra: rootCmd.Execute()
Note over cobra,runE: Command Handler (execution)
cobra->>cobra: Parse args → "scan alpine:latest"
cobra->>opts: Load config (files/env/flags)
cobra->>opts: opts.PostLoad() validation
cobra->>runE: RunE(cmd, args)
runE->>lib: Execute Scan Logic
lib-->>runE: SBOM
Note over runE: Result Output
runE-->>user: SBOM outputMany of the Anchore OSS tools have the following setup (or very similar):
/cmd/NAME/ - CLI application layer.
This is the entry point for the command-line tool and wires up much of the functionality from the public API.
./cmd/NAME/
│ ├── cli/
│ │ ├── cli.go // where all commands are wired up
│ │ ├── commands/ // all command implementations
│ │ ├── options/ // all command flags and configuration options
│ │ └── ui/ // all handlers for events that are shown on the UI
│ └── main.go // entrypoint for the application
...
/NAME/ - Public library API.
This is how API users interact with the underlying capabilities without coupling to the application configuration, specific presentation on the terminal, or high-level workflows.
Applications extensively use internal/ packages at multiple levels to minimize the public API surface area.
The codebase follows the guiding principle “internalize anything you can” - expose only what library consumers truly need.
Take for example the various internal packages within Syft
/internal/ # Project-wide internals (bus, log, etc...)
/syft/internal/ # Syft library-specific internals (relationships, evidence)
/cmd/syft/internal/ # CLI-specific internals (options, UI handlers)
/syft/source/internal/ # Package-specific internals (source resolution details)
/syft/pkg/cataloger/<ecosystem>/internal/ # Cataloger-specific internals
This multi-level approach allows Syft to expose a minimal, stable public API while keeping implementation details flexible and changeable.
Go’s module system prevents importing internal/ packages from outside their parent directory, which enforces clean separation of concerns.
The bus system, under /internal/bus/ within the target application, is an event publishing mechanism that enables progress reporting and UI updates
without coupling the library to any specific user interface implementation.
The bus follows a strict one-way communication pattern: the library publishes events but never subscribes to them. The intention is that functionality is NOT fulfilled by listening to events on the bus and taking action. Only the application layer (CLI) subscribes to events for display. This keeps the library completely decoupled from UI concerns.
You can think of the bus as a structured extension of the logger, allowing for publishing not just strings or maps of strings, but enabling publishing objects that can yield additional telemetry on-demand, fueling richer interactions.
This enables library consumers to implement any UI they want (terminal UI, web UI, no UI) by subscribing to events and handling them appropriately. The library has zero knowledge of how events are used, maintaining a clean separation between business logic and presentation.
The bus is implemented as a singleton with a global publisher that can be set by library consumers:
var publisher partybus.Publisher
func Set(p partybus.Publisher) {
publisher = p
}
func Publish(e partybus.Event) {
if publisher != nil {
publisher.Publish(e)
}
}
The library calls bus.Publish() throughout cataloging operations. If no publisher is set, events are silently discarded.
This makes events truly optional.
Picking the right “level” for events is key. Libraries tend to not assume that events can be read “quickly” off the bus. At the same time, to remain lively and useful, we want to be able to have consumers of the bus to get information at a rate they choose. A common pattern used is to publish a “start” event (for example, “cataloging started”) and publish with that event a read-only, thread-safe object that can be polled by the caller to get progress or status-based information out.
sequenceDiagram
participant CMD as cmd/<br/>(CLI Layer)
participant Bus as internal/bus/<br/>(Event Bus)
participant Lib as lib/<br/>(Library Layer)
participant Progress as Progress Object
CMD->>Bus: Subscribe()
CMD->>+Lib: PerformOperation()
Lib->>Progress: Create progress object
Lib->>Bus: Publish(StartEvent, progress)
Bus->>CMD: StartEvent
loop Poll until complete
CMD->>Progress: Size(), Current(), Stage(), Error()
Progress-->>CMD: status (Error: nil)
end
Lib-->>-CMD: Return result
CMD->>Progress: Error()
Progress-->>CMD: ErrCompletedThis prevents against the library accidentally being a “firehose” and overwhelming subscribers who are trying to convey timely information. When subscribers cannot keep up with the amount of events emitted from the library then the very information being displayed tends to get stale and useless anyway. At the same time, the there is a lot of value in responding to events instead of polling for all information.
This pattern helps to balance the best of both worlds, getting an event driven system with a consumer-driven update cadence.
The logging system, under /internal/log/ within the target application, provides structured logging throughout Anchore’s applications with an injectable logger interface.
This allows library consumers to integrate the application’s logging into their own logging infrastructure.
There is an adapter for logrus to this interface implemented, and we’re happy to take additional contributions for other concrete logger adapters.
The logging system is implemented as a singleton with global functions (log.Info, log.Debug, etc.).
Library consumers inject their logger by calling the public API function syft.SetLogger(yourLoggerHere).
By default, Syft uses a discard logger (no-op) that silently ignores all log messages. This ensures the library produces no output unless a logger is explicitly provided.
All loggers are automatically wrapped with a redaction layer when you call SetLogger().
The wrapping is applied internally by the logging system, which removes sensitive information (like authentication tokens) from log output.
This happens transparently within the application CLI, however, API users will need to explicitly register secrets to be redacted.
Each application uses goreleaser to build and publish releases, as orchestrated by a release workflow.
The release workflow can be triggered with make release from a local checkout of the repository.
Chronicle is used to automatically generate release notes based on GitHub issues and PR titles/labels,
using the same information to determine the next version for the release.
With each repo, we tend to publish (but some details may vary slightly between repos):
v0.50.0)ghcr.io registriesWe ensure the same tool versions are used locally and in CI by using Binny, orchestrated with make and task.
See the Golang CLI Patterns for common structures and frameworks used in Syft and across other Anchore open source projects.
For detailed API examples, see the Syft repository on GitHub.
At a high level, this is the package structure of Syft:
./cmd/syft/ // main entrypoint
│ └── ...
└── syft/ // the "core" syft library
├── format/ // contains code to encode or decode to and from SBOM formats
├── pkg/ // contains code to catalog packages from a source
├── sbom/ // contains the definition of an SBOM
└── source/ // contains code to create a source object for some input type (e.g. container image, directory, etc)
Syft’s core library is implemented in the syft package and subpackages.
The major packages work together in a pipeline:
syft/source package produces a source.Source object that can be used to catalog a directory, container, and other source types.syft package knows how to take a source.Source object and catalog it to produce an sbom.SBOM object.syft/format package contains the ability to encode an sbom.SBOM object to and from different SBOM formats (such as SPDX and CycloneDX).This design creates a clear flow: source → catalog → format:
sequenceDiagram
actor User
participant CLI
participant Resolve as Source Resolution
participant Catalog as SBOM Creation
participant Format as Format Output
User->>CLI: syft scan <target>
CLI->>CLI: Parse configuration
CLI->>Resolve: Resolve input (image/dir/file)
Note over Resolve: Tries: File→Directory→OCI→Docker→Podman→Containerd→Registry
Resolve-->>CLI: source.Source
CLI->>Catalog: Create SBOM from source
Note over Catalog: Task-based cataloging engine
Catalog-->>CLI: sbom.SBOM struct
CLI->>Format: Write to format(s)
Note over Format: Parallel: SPDX, CycloneDX, Syft JSON, etc.
Format-->>User: SBOM file(s)Shows the task-based architecture and execution phases. Tasks are selected by tags (image/directory/installed) and organized into serial phases, with parallel execution within each phase.
sequenceDiagram
participant CLI as scan.go
participant GetSource as Source Providers
participant CreateSBOM as syft.CreateSBOM
participant Config as CreateSBOMConfig
participant Executor as Task Executor
participant Builder as sbomsync.Builder
participant Resolver as file.Resolver
Note over CLI,GetSource: Source Resolution
CLI->>GetSource: GetSource(userInput, cfg)
GetSource->>GetSource: Try providers until success
GetSource-->>CLI: source.Source + file.Resolver
Note over CLI,Builder: SBOM Creation (task-based architecture)
CLI->>CreateSBOM: CreateSBOM(ctx, source, cfg)
CreateSBOM->>Config: makeTaskGroups(srcMetadata)
Note over Config: Task Selection & Organization
Config->>Config: Select catalogers by tags<br/>(image/directory/installed)
Config->>Config: Organize into execution phases
Config-->>CreateSBOM: [][]Task (grouped by phase)
CreateSBOM->>Builder: Initialize thread-safe builder
Note over CreateSBOM,Executor: Phase 1: Environment Detection
CreateSBOM->>Executor: Execute environment tasks
Executor->>Resolver: Read OS release files
Executor->>Builder: SetLinuxDistribution()
Note over CreateSBOM,Executor: Phase 2: Package + File Cataloging
CreateSBOM->>Executor: Execute package & file tasks
par Parallel Task Execution
Executor->>Resolver: Read package manifests
Executor->>Builder: AddPackages()
and
Executor->>Resolver: Read file metadata
Executor->>Builder: Add file artifacts
end
Note over CreateSBOM,Executor: Phase 3: Post-Processing
CreateSBOM->>Executor: Execute relationship tasks
Executor->>Builder: AddRelationships()
CreateSBOM->>Executor: Execute cleanup tasks
CreateSBOM-->>CLI: *sbom.SBOM
Note over CLI: Format Output
CLI->>CLI: Write multi-format outputPackage object
The pkg.Package object is a core data structure that represents a software package.
Key fields include:
FoundBy: the name of the cataloger that discovered this package (e.g. python-pip-cataloger).Locations: the set of paths and layer IDs that were parsed to discover this package.Language: the language of the package (e.g. python).Type: a high-level categorization of the ecosystem the package resides in. For instance, even if the package is an egg, wheel, or requirements.txt reference, it is still logically a “python” package. Not all package types align with a language (e.g. rpm) but it is common.Metadata: specialized data for specific location(s) parsed. This should contain as much raw information as seems useful, kept as flat as possible using the raw names and values from the underlying source material.Metadata
Packages can have specialized metadata that is specific to the package type and source of information.
This metadata is stored in the Metadata field of the pkg.Package struct as an any type, allowing for flexibility in the data stored.
When pkg.Package is serialized, an additional MetadataType field is shown to help consumers understand the datashape of the Metadata field.
By convention the MetadataType value follows these rules:
dart-pubspec-lock is better than pubspec-lock. For OS package managers this is not necessary (e.g. apk-db-entry is good, but alpine-apk-db-entry is redundant).ruby-gem is NOT a good MetadataType value, but ruby-gemspec is, since Ruby gem information can come from a gemspec file or a Gemfile.lock, which are very different.r-description-installed-file is not good since it’s trying to convey how we use the DESCRIPTION file. Instead simply describe what the DESCRIPTION file is: r-description.lock suffix to distinguish between manifest files that loosely describe package version requirements vs files that strongly specify one and only one version of a package (“lock” files). These should only be used with respect to package managers that have the guide and lock distinction, but would not be appropriate otherwise (e.g. rpm does not have a guide vs lock, so lock should NOT be used to describe a db entry).archive suffix to indicate a package archive (e.g. rpm file, apk file) that describes the contents of the package. For example an RPM file would have a rpm-archive metadata type (not to be confused with an RPM DB record entry which would be rpm-db-entry).entry suffix to indicate information about a package found as a single entry within a file that has multiple package entries. If found within a DB or flat-file store for an OS package manager, use db-entry.package, though exceptions are allowed if the canonical name literally has the phrase package in it.file suffix unless the canonical name has the term “file”, such as a pipfile or gemfile.pipfile.lock shouldn’t be in the name; instead describe what the file is: python-pipfile-lock.metadata, unless the canonical name has this term.HackageMetadata struct is not allowed since it represents 3 mutually exclusive use cases: stack.yaml, stack.lock, or cabal.project. Each should have its own struct and MetadataType.The goal is to provide a consistent naming scheme that is easy to understand. If the rules don’t apply in your situation, use your best judgement.
When the underlying parsed data represents multiple files, there are two approaches:
dpkg-cataloger looks at multiple files, it’s the status file that gets represented.Metadata field. For instance, the java-archive-cataloger may find information from pom.xml, pom.properties, and MANIFEST.MF. The metadata is java-metadata with each possibility as a nested optional field.Catalogers are the mechanism by which Syft identifies and constructs packages given a targeted list of files.
For example, a cataloger can ask Syft for all package-lock.json files in order to parse and raise up JavaScript packages (see file globs and file parser functions for examples).
There is a generic cataloger implementation that can be leveraged to quickly create new catalogers by specifying file globs and parser functions (browse the source code for syft catalogers for example usage).
From a high level, catalogers have the following properties:
They are independent of one another. The Java cataloger has no idea of the processes, assumptions, or results of the Python cataloger, for example.
They do not know what source is being analyzed. Are we analyzing a local directory? An image? If so, the squashed representation or all layers? The catalogers do not know the answers to these questions. Only that there is an interface to query for file paths and contents from an underlying “source” being scanned.
Packages created by the cataloger should not be mutated after they are created. There is one exception made for adding CPEs to a package after the cataloging phase, but that will most likely be moved back into the cataloger in the future.
Cataloger names should be unique and named with these rules in mind:
-catalogerpython-)ruby-gemspec-cataloger and ruby-installed-gemspec-cataloger, where the latter requires that the gemspec is found within a specifications directory (meaning it was installed, not just at the root of a source repo).All catalogers are provided an instance of the file.Resolver to interface with the image and search for files.
The implementations for these abstractions leverage stereoscope to perform searching.
Here is a rough outline how that works:
A stereoscope file.Index is searched based on the input given (a path, glob, or MIME type). The index is relatively
fast to search, but requires results to be filtered down to the files that exist in the specific layer(s) of interest.
This is done automatically by the filetree.Searcher abstraction. This abstraction will fallback to searching
directly against the raw filetree.FileTree if the index does not contain the file(s) of interest.
Note: the filetree.Searcher is used by the file.Resolver abstraction.
Once the set of files are returned from the filetree.Searcher the results are filtered down further to return
the most unique file results. For example, you may have requested files by a glob that returns multiple results.
These results are filtered down to deduplicate by real files, so if a result contains two references to the same file
(one accessed via symlink and one accessed via the real path), then the real path reference is returned and the symlink
reference is filtered out. If both were accessed by symlink then the first (by lexical order) is returned.
This is done automatically by the file.Resolver abstraction.
By the time results reach the pkg.Cataloger you are guaranteed to have a set of unique files that exist in the
layer(s) of interest (relative to what the resolver supports).
The CLI (in the cmd/syft/ package) and the core library API (in the syft/ package) are separate layers with a clear boundary.
Application level concerns always reside with the CLI, while the core library focuses on SBOM generation logic.
That means that there is an application configuration (e.g. cmd/syft/cli) and a separate library configuration, and when the CLI uses
the library API, it must adapt its configuration to the library’s configuration types. In that adapter, the CLI layer
defers to API-level defaults as much as possible so there is a single source of truth for default behavior.
See the Syft reponitory on GitHub for detailed API example usage.
At a high level, this is the package structure of Grype:
./cmd/grype/ // main entrypoint
│ └── ...
└── grype/ // the "core" grype library
├── db/ // vulnerability database management, schemas, readers, and writers
│ ├── v5/ // V5 database schema
│ └── v6/ // v6 database schema
├── match/ // core types for matches and result processing
├── matcher/ // vulnerability matching strategies
│ ├── stock/ // default matcher (ecosystem + CPE)
│ └── <ecosystem>/ // ecosystem-specific matchers (java, dpkg, rpm, etc.)
├── pkg/ // types for package representation (wraps Syft packages)
├── search/ // search criteria and strategies
├── version/ // version comparison across formats
├── vulnerability/ // core types for vulnerabilities and provider interface
└── presenter/ // output formatters (JSON, table, etc.)
The grype package and subpackages implement Grype’s core library. The major packages work together in a pipeline:
grype/pkg package wraps Syft packages and prepares them as match candidates, augmenting them with upstream package information and CPEs.grype/matcher package contains matching strategies that search for vulnerabilities matching specific package types.grype/db package manages the vulnerability database and provides query interfaces for matchers.grype/vulnerability package defines vulnerability data structures and the Provider interface for database queries.grype/search package implements search strategies (ecosystem, distro, CPE) and criteria composition.grype/presenter package formats match results into various output formats.This design creates a clear flow: SBOM → package preparation → matching → results:
sequenceDiagram
actor User
participant CLI
participant DB as Database
participant Prep as Package Prep
participant Match as Matching Engine
participant Post as Post-Processing
participant Format as Presenter
User->>CLI: grype <target>
CLI->>CLI: Parse configuration
Note over CLI: Input Phase
alt SBOM provided
CLI->>CLI: Load SBOM from file
else Scan target
CLI->>CLI: Generate SBOM with Syft
end
Note over CLI,Prep: Preparation Phase
CLI->>DB: Load vulnerability database
DB-->>CLI: Database provider
CLI->>Prep: Prepare packages for matching
Note over Prep: Wrap Syft packages<br/>Add upstream packages<br/>Generate CPEs<br/>Filter overlaps
Prep-->>CLI: Match candidates
Note over CLI,Match: Matching Phase
CLI->>Match: FindMatches(match candidates, provider)
Note over Match: Group by package type<br/>Select matchers<br/>Execute in parallel
Match-->>CLI: Raw matches + ignore filters
Note over CLI,Post: Post-Processing Phase
CLI->>Post: Process matches
Note over Post: Apply ignore filters<br/>Apply user ignore rules<br/>Apply VEX statements<br/>Deduplicate results
Post-->>CLI: Final matches
Note over CLI,Format: Output Phase
CLI->>Format: Format results
Format-->>User: Vulnerability reportThis diagram zooms into the Matching Phase from the high-level diagram, showing how the matching engine executes parallel matcher searches against the database. Components are grouped in boxes to show how they map to the high-level participants.
sequenceDiagram
participant CLI as grype/main
box rgba(200, 220, 240, 0.3) Matching Engine
participant Matcher as VulnerabilityMatcher
participant M as Matcher<br/>(Stock, Java, Dpkg, etc.)
end
participant Search as Search Strategies
box rgba(220, 240, 200, 0.3) Database
participant Provider as DB Provider
participant DB as SQLite
end
Note over CLI,DB: Matching Phase (expanded from high-level view)
CLI->>Matcher: FindMatches(match candidates, provider)
Matcher->>Matcher: Group candidates by package type
Note over Matcher,M: Each matcher runs in parallel with ecosystem-specific logic
loop For each package type (stock, java, dpkg, etc.)
Matcher->>M: Match(packages for this type)
M->>Search: Build search criteria<br/>(ecosystem, distro, or CPE-based)
Search->>Provider: SearchForVulnerabilities(criteria)
Provider->>DB: Query vulnerability_handles
DB-->>Provider: Matching handles
Provider->>Provider: Compare versions against constraints
Provider->>DB: Check unaffected_package_handles
DB-->>Provider: Unaffected records
Provider->>DB: Load blobs for confirmed matches
DB-->>Provider: Vulnerability details
Provider-->>Search: Confirmed matches
Search-->>M: Filtered matches
M-->>Matcher: Matches + ignore filters
end
Matcher->>Matcher: Collect matches from all matchers
Matcher-->>CLI: Raw matches + ignore filters
Note over CLI: Continues to Post-Processing Phase (see high-level view)Grype uses Syft’s SBOM generation capabilities rather than reimplementing package cataloging. The integration happens at two levels:
The grype/pkg package wraps syft/pkg.Package objects and augments them with matching-specific data:
This wrapping pattern maintains a clear architectural boundary. Syft focuses on finding packages, while Grype focuses on finding vulnerabilities in those packages.
The grype/pkg package converts Syft packages into Grype match candidates. The pkg.FromCollection() function performs this conversion:
grype.Package that preserves the original package data.The grype.Package type maintains a reference to the original syft.Package while augmenting it with:
Upstreams []UpstreamPackage: Source packages to search in addition to the binary package.CPEs []syftPkg.CPE: Generated CPE identifiers for fallback matching.This design preserves the complete SBOM information while preparing packages for the matching process. Matchers receive these enhanced packages and decide which attributes to use for searching.
The data flow through Grype follows these steps:
grype.Package match candidates, adding upstream packages, CPEs, and filtering overlapping packages.The database sits at the center of this flow. All matchers query the same database provider, but they use different search strategies based on their package types.
Grype uses a SQLite database to store vulnerability data. The database design prioritizes query performance and storage efficiency.
In order to interoperate any DB schema with the high-level Grype engine, each schema must implement a Provider interface.
This allows for DB specific schemas to be adapted to the core Grype types.
v6 Schema design
The overall design of the v6 database schema is heavily influenced by the OSV schema,
so if you are familiar with OSV, many of the entities / concepts will feel similar.
The database uses a blob + handle pattern:
Handles: Small, indexed records containing anything you might want to search by (package name, vulnerability id, provider name, etc.). Grype stores these in tables optimized for fast lookups. These tables point to blobs for full details. See the Grype DB SQL schemas for more details on handle table structures.
Blobs: Full JSON documents containing complete vulnerability details. Grype stores these separately and loads them only when a match is made. See the Grype DB blob schemas for more details on blob structures.
This separation allows Grype to quickly query millions of vulnerability records without loading full vulnerability details until necessary.
Key tables include:
vulnerability_handles: Searchable for vulnerability records by name (CVE/advisory ID), status (active, withdrawn, etc), published/modified/withdrawn dates, and provider ID.
References a blob containing full vulnerability details (description, references, aliases, severities).
affected_package_handles: Links vulnerabilities, packages, and (optionally) operating systems.
The referenced blob contains version constraints (for example, “vulnerable in 1.0.0 to 1.2.5”) and fix information.
Used when the package ecosystem is known (npm, python, gem, etc.).
unaffected_package_handles: Explicitly marks package versions that are NOT vulnerable.
Same structure as affected_package_handles but represents exemptions.
These are applied on top of any discovered affected records to remove matches (thus reduce false positives).
affected_cpe_handles: Links vulnerabilities and explicit CPEs, useful when a CPE cannot be resolved to a clear package ecosystem.
packages: Stores unique ecosystem + name combinations (for example, ecosystem=‘npm’, name=‘lodash’).
operating_systems: Stores OS release information with name, major/minor version, codename, and channel (for example, RHEL EUS versus mainline).
Provides context for distro-specific package matching.
cpes: Stores parsed CPE 2.3 components (part, vendor, product, edition, etc.).
Version constraints are stored in blobs, not in this table.
blobs: Complete vulnerability, package, and decorator details as compressed JSON.
There are 3 blob types:
VulnerabilityBlob (full vulnerability data)PackageBlob (version ranges and fixes)KnownExploitedVulnerabilityBlob (KEV catalog data).Additional decorator tables enhance vulnerability information:
known_exploited_vulnerability_handles: Links CVE identifiers to blob containing CISA KEV catalog data (date added, vendor, product, required action, ransomware campaign use).
epss_handles: Stores EPSS (Exploit Prediction Scoring System) data with CVE identifier, EPSS score (0-1 probability), and percentile ranking.
cwe_handles: Maps CVE identifiers to CWE (Common Weakness Enumeration) IDs with source and type information.
The schema also includes a package_cpes junction table creating many-to-many relationships between packages and CPEs.
When a CPE can be resolved to a package (via this table), vulnerabilities use affected_package_handles.
When a CPE cannot be resolved, vulnerabilities use affected_cpe_handles instead.
Grype versions the database schema (currently v6). When the schema changes, users download a new database file that Grype automatically detects and uses.
Relationships between tables enable efficient querying:
grype/version package filters handles by version constraints.Version constraints in the database use multi-version constraint syntax, allowing a single record to express complex version ranges like “affected in 1.0.0 to 1.2.5 and 2.0.0 to 2.1.3”.
The matching engine orchestrates vulnerability matching across different package types. The core component is the VulnerabilityMatcher, which:
The ignore filter mechanism is important. For example, the dpkg matcher searches both the binary package name and the source package name. When it finds a match via the source package, it creates an ignore filter so the stock matcher doesn’t report the same vulnerability using a CPE match. This prevents duplicate matches for the same vulnerability.
Each matcher implements the Matcher interface.
This allows Grype to support multiple matching strategies for different package ecosystems.
The process of making a match involves several steps:
grype/version package compares the package version against the vulnerability’s version constraints.Match objects with confidence scores (the scores are currently unused).Matchers determine what to search for based on package type and available metadata. Grype supports three main search strategies:
Ecosystem search: Queries vulnerabilities by package name and version within a specific package ecosystem (npm, pypi, gem, etc.). Search fields include ecosystem, package name, and version. The database returns handles where the package name matches and version constraints include the specified version.
Distro search: Queries vulnerabilities by Linux distribution, package name, and version for OS packages managed by apt, yum, or apk. Search fields include distro name and version (for example, debian:10), package name, and version. Also understands distro channels like RHEL EUS versus mainline.
CPE matching: Fallback strategy when ecosystem or distro matching isn’t applicable, using CPE identifiers in the format cpe:2.3:a:vendor:product:version:.... Search fields include CPE components (part, vendor, product). Broader and less precise than ecosystem matching, used primarily when ecosystem data isn’t available.
The grype/search package provides a criteria system that matchers use to express search requirements.
Criteria can be combined with AND and OR operators:
AND(ecosystem("npm"), packageName("lodash"), version("4.17.20"))OR(distro("debian:10"), distro("debian:11"))The database provider translates these criteria into SQL queries against the handle tables. This abstraction allows matchers to express complex search requirements without writing SQL directly.
Ideally, matchers orchestrate search criteria at a high level, letting each specific criteria type handle its own needs. It’s the vulnerability provider that ultimately translates criteria into efficient database queries.
Grype supports multiple version formats because different ecosystems have different versioning schemes.
The grype/version package provides format-specific version comparers,
falling back to a “catch all” fuzzy comparer when the format cannot be determined.
Each format has its own constraint parser that understands ecosystem-specific constraint syntax. The version comparison system detects the appropriate format based on the package type, then uses the correct comparer to evaluate version constraints from the database.
The records from the Grype DB specify which version format to use on one side of the comparison, and the package type determines the format on the other side. If no specific format is found, or the formats are incompatible (essentially do not match), the fuzzy comparer is used as a last resort.
grype-db is essentially an application that extracts information from upstream vulnerability data providers, transforms it into smaller records targeted for Grype consumption, and loads the individual records into a new SQLite DB.
flowchart LR
subgraph pull["Pull"]
A[Pull vuln data<br/>from upstream]
end
subgraph build["Build"]
B[Transform entries]
C[Load entries<br/>into new DB]
end
subgraph package["Package"]
D[Package DB]
end
A --> B --> C --> D
style pull stroke-dasharray: 5 5, fill:none
style build stroke-dasharray: 5 5, fill:none
style package stroke-dasharray: 5 5, fill:noneWhat makes grype-db unique compared to a typical ETL job is the extra responsibility of needing to transform the most recent vulnerability data shape (defined in the vunnel repo) to all supported DB schema versions.
From the perspective of the Daily DB Publisher workflow, (abridged) execution looks something like this:
%%{ init: { 'flowchart': { 'curve': 'linear' } } }%%
flowchart LR
A[Pull vulnerability data]
B5[Build v5 DB]
C5[Package v5 DB]
D5[Publish v5]
B6[Build v6 DB]
C6[Package v6 DB]
D6[Publish v6]
A --- B5 --> C5 --> D5
A --- B6 --> C6 --> D6In order to support multiple DB schemas easily from a code-organization perspective, the following abstractions exist:
Provider - Responsible for providing raw vulnerability data files that are cached locally for later processing.
Processor - Responsible for unmarshalling any entries given by the Provider, passing them into Transformers, and returning any resulting entries. Note: the object definition is schema-agnostic but instances are schema-specific since Transformers are dependency-injected into this object.
Transformer (v5, v6) - Takes raw data entries of a specific vunnel-defined schema and transforms the data into schema-specific entries to later be written to the database. Note: the object definition is schema-specific, encapsulating grypeDB/v# specific objects within schema-agnostic Entry objects.
Entry - Encapsulates schema-specific database records produced by Processors/Transformers (from the provider data) and accepted by Writers.
Writer (v5, v6) - Takes Entry objects and writes them to a backing store (today a SQLite database). Note: the object definition is schema-specific and typically references grypeDB/v# schema-specific writers.
All the above abstractions are defined in the pkg/data Go package and are used together commonly in the following flow:
%%{ init: { 'flowchart': { 'curve': 'linear' } } }%%
flowchart LR
A["data.Provider"]
subgraph processor["data.Processor"]
direction LR
B["unmarshaller"]
C["v# data.Transformer"]
B --> C
end
D["data.Writer"]
E["grypeDB/v#/writer.Write"]
A -->|"cache file"| processor
processor -->|"[]data.Entry"| D --> E
style processor fill:noneWhere there is:
data.Provider for each upstream data source (e.g. canonical, redhat, github, NIST, etc.)data.Processor for every vunnel-defined data shape (github, os, msrc, nvd, etc… defined in the vunnel repo)data.Transformer for every processor and DB schema version pairingdata.Writer for every DB schema versionFrom a Go package organization perspective, the above abstractions are organized as follows:
grype-db/
└── pkg
├── data # common data structures and objects that define the ETL flow
├── process
│ ├── processors # common data.Processors to call common unmarshallers and pass entries into data.Transformers
│ ├── v5 # schema v5 (legacy, active)
│ │ ├── processors.go # wires up all common data.Processors to v5-specific data.Transformers
│ │ ├── writer.go # v5-specific store writer
│ │ └── transformers # v5-specific transformers
│ └── v6 # schema v6 (current, active)
│ ├── processors.go # wires up all common data.Processors to v6-specific data.Transformers
│ ├── writer.go # v6-specific store writer
│ └── transformers # v6-specific transformers
└── provider # common code to pull, unmarshal, and cache upstream vuln data into local files
└── ...
Note: Historical schema versions (v1-v4) have been removed from the codebase.
The definitions of what goes into the database and how to access it (both reads and writes) live in the public grype repo under the grype/db package. Responsibilities of grype (not grype-db) include (but are not limited to):
The purpose of grype-db is to use the definitions from grype/db and the upstream vulnerability data to create DB archives and make them publicly available for consumption via Grype.
Grype DB currently supports two active schema versions, each with a different distribution mechanism:
Historical schemas (v1-v4) are no longer supported and their code has been removed from the codebase.
The listing.json file is a legacy distribution mechanism used for schema v5 (and historically v1-v4):
databases/listing.json{ "available": { "1": [...], "2": [...], "5": [...] } }The latest.json file is the modern distribution mechanism used for schema v6 and future versions:
databases/v{major}/latest.json (e.g., v6/latest.json, v7/latest.json){ "url": "...", "built": "...", "checksum": "...", "schemaVersion": 6 }This dual-distribution approach allows Grype to maintain backward compatibility with v5 while providing a more efficient distribution mechanism for v6 and future versions.
Implementation Notes:
grype repo, while the grype-db repo is responsible for generating DBs and creating/updating these distribution filesThere are two workflows that drive getting a new Grype DB out to OSS users:
This workflow takes the upstream vulnerability data (from canonical, redhat, debian, NVD, etc), processes it, and writes the results to OCI repos.
%%{ init: { 'flowchart': { 'curve': 'linear' } } }%%
flowchart LR
A1["Pull alpine"] --> B1["Publish to ghcr.io/anchore/grype-db/data/alpine:<date>"]
A2["Pull amazon"] --> B2["Publish to ghcr.io/anchore/grype-db/data/amazon:<date>"]
A3["Pull debian"] --> B3["Publish to ghcr.io/anchore/grype-db/data/debian:<date>"]
A4["Pull github"] --> B4["Publish to ghcr.io/anchore/grype-db/data/github:<date>"]
A5["Pull nvd"] --> B5["Publish to ghcr.io/anchore/grype-db/data/nvd:<date>"]
A6["..."] --> B6["... repeat for all upstream providers ..."]
style A6 fill:none,stroke:none
style B6 fill:none,stroke:noneOnce all providers have been updated, a single vulnerability cache OCI repo is updated with all of the latest vulnerability data at ghcr.io/anchore/grype-db/data:<date>. This repo is what is used downstream by the DB publisher workflow to create Grype DBs.
The in-repo .grype-db.yaml and .vunnel.yaml configurations are used to define the upstream data sources, how to obtain them, and where to put the results locally.
This workflow takes the latest vulnerability data cache, builds a Grype DB, and publishes it for general consumption:
%%{ init: { 'flowchart': { 'curve': 'linear' } } }%%
flowchart LR
subgraph pull["1. Pull"]
A["Pull vuln data<br/>(from the daily<br/>sync workflow<br/>output)"]
end
subgraph generate["2. Generate Databases"]
B5["Build v5 DB"]
C5["Package v5 DB"]
D5["Upload Archive"]
B6["Build v6 DB"]
C6["Package v6 DB<br/>(includes latest.json)"]
D6["Upload Archive<br/>+ latest.json"]
B5 --> C5 --> D5
B6 --> C6 --> D6
end
subgraph listing["3. Update Listing (v5 only)"]
F["Update listing.json"]
end
A --- B5
A --- B6
D5 --- F
D6 -.->|"No listing update<br/>needed for v6"| G[Done]
style pull stroke-dasharray: 5 5, fill:none
style generate stroke-dasharray: 5 5, fill:none
style listing stroke-dasharray: 5 5, fill:none
style G fill:none,stroke:noneThe manager/ directory contains all code responsible for driving the Daily DB Publisher workflow, generating DBs for all supported schema versions (currently v5 and v6) and making them available to the public.
Download the latest vulnerability data from various upstream data sources into a local directory. The destination for the provider data is in the data/vunnel directory.
Build databases for all supported schema versions based on the latest vulnerability data and upload them to Cloudflare R2 (S3-compatible storage).
Supported Schemas (see schema-info.json):
Build and Upload Process:
Each DB undergoes the following steps:
.tar.zst)Storage Location:
https://grype.anchore.io/databases/...databases/<archive-name>.tar.zstdatabases/v6/<archive-name>.tar.zst + databases/v6/latest.jsonKey Difference:
latest.json are uploaded atomically, making the DB immediately discoverableThis step only applies to schema v5.
Generate and upload a new listing.json file to Cloudflare R2 based on the existing listing file and newly discovered DB archives.
The listing file is tested against installations of Grype to ensure scans can successfully discover and download the DB. The scan must have a non-zero count of matches to pass validation.
Once the listing file has been uploaded to databases/listing.json, user-facing Grype v5 installations can discover and download the new DB.
Note: Schema v6 does not require this step because the latest.json file is generated and uploaded atomically with the DB archive in step 2, with a 5-minute cache TTL for fast updates.
For more details on:
Vunnel is a CLI tool that downloads and processes vulnerability data from various sources (in the codebase, these are called “providers”).
flowchart LR
subgraph input[ ]
alpine_data(((<b>Alpine Sec DB</b><br/><small>secdb.alpinelinux.org</small>)))
rhel_data(((<b>RedHat CSAF</b><br/><small>redhat.com/security</small>)))
nvd_data(((<b>NVD Data</b><br/><small>services.nvd.nist</small>)))
other_data((("...")))
end
subgraph vunnel["<b>Vunnel</b>"]
alpine_provider[Alpine Provider]
rhel_provider[RHEL Provider]
nvd_provider[NVD Provider]
other_provider[(...)]
end
subgraph output[ ]
alpine_out[./data/alpine/]
rhel_out[./data/rhel/]
nvd_out[./data/nvd/]
other_out[...]
end
alpine_data -->|download| alpine_provider
rhel_data -->|download| rhel_provider
nvd_data -->|download| nvd_provider
alpine_provider -->|write| alpine_out
rhel_provider -->|write| rhel_out
nvd_provider -->|write| nvd_out
vunnel:::Application
style other_data fill:none,stroke:none
style other_provider fill:none,stroke:none
style other_out fill:none,stroke:none
style output fill:none,stroke:none
style input fill:none,stroke:none
alpine_data:::ExternalSource@{ shape: cloud }
rhel_data:::ExternalSource@{ shape: cloud }
nvd_data:::ExternalSource@{ shape: cloud }
alpine_provider:::Provider
rhel_provider:::Provider
nvd_provider:::Provider
alpine_out:::Database@{ shape: db }
rhel_out:::Database@{ shape: db }
nvd_out:::Database@{ shape: db }
classDef ExternalSource stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#f0f8ff, color:#000000
classDef Application fill:#e1ffe1,stroke:#424242,stroke-width:1px
classDef Provider fill:#none,stroke:#424242,stroke-width:1px
classDef Database stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000Conceptually, one or more invocations of Vunnel will produce a single data directory which Grype DB uses to create a Grype database:
flowchart LR
subgraph vunnel_runs[ ]
vunnel_alpine[<b>vunnel run alpine</b>]
vunnel_rhel[<b>vunnel run rhel</b>]
vunnel_nvd[<b>vunnel run nvd</b>]
vunnel_other[(...)]
end
subgraph data[ ]
alpine_data[./data/alpine/]
rhel_data[./data/rhel/]
nvd_data[./data/nvd/]
other_data[...]
end
db_processor[Grype-DB]
subgraph db_out[ ]
sqlite_db[vulnerability.db<br/><small>sqlite</small>]
end
vunnel_alpine -->|write| alpine_data
vunnel_rhel -->|write| rhel_data
vunnel_nvd -->|write| nvd_data
alpine_data -->|read| db_processor
rhel_data -->|read| db_processor
nvd_data -->|read| db_processor
db_processor -->|write| sqlite_db
db_processor:::Application
vunnel_alpine:::Application
vunnel_rhel:::Application
vunnel_nvd:::Application
sqlite_db:::Database@{ shape: db }
alpine_data:::Database@{ shape: db }
rhel_data:::Database@{ shape: db }
nvd_data:::Database@{ shape: db }
style vunnel_other fill:none,stroke:none
style other_data fill:none,stroke:none
style vunnel_runs fill:none,stroke:none
style data fill:none,stroke:none
style db_out fill:none,stroke:none
classDef Application fill:#e1ffe1,stroke:#424242,stroke-width:1px
classDef Database stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000The Vunnel CLI tool is optimized to run a single provider at a time, not orchestrating multiple providers at once. Grype DB is the tool that collates output from multiple providers and produces a single database, and is ultimately responsible for orchestrating multiple Vunnel calls to prepare the input data:
flowchart LR
config["<code><b># .grype-db.yaml</b></code><br><code>providers:</code><br><code> - alpine</code><br><code> - rhel</code><br><code> - nvd</code><br><code> - ...</code>"]
pull[grype-db pull]
subgraph vunnel_runs[ ]
vunnel_alpine[<b>vunnel run alpine</b>]
vunnel_rhel[<b>vunnel run rhel</b>]
vunnel_nvd[<b>vunnel run nvd</b>]
vunnel_other[<b>vunnel run ...</b>]
end
subgraph data[ ]
data_out[(./data/)]
end
config -->|read| pull
pull -->|execute| vunnel_alpine
pull -->|execute| vunnel_rhel
pull -->|execute| vunnel_nvd
pull -.->|execute| vunnel_other
vunnel_alpine -->|write| data_out
vunnel_rhel -->|write| data_out
vunnel_nvd -->|write| data_out
vunnel_other -.->|write| data_out
pull:::Application
vunnel_alpine:::Application
vunnel_rhel:::Application
vunnel_nvd:::Application
vunnel_other:::Application
config:::AnalysisInput@{ shape: document }
data_out:::Database@{ shape: db }
style vunnel_runs fill:none,stroke:none
style data fill:none,stroke:none
classDef AnalysisInput stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#f0f8ff, color:#000000
classDef Application fill:#e1ffe1,stroke:#424242,stroke-width:1px
classDef Database stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000flowchart LR
subgraph data[ ]
data_in[(./data/)]
end
build[grype-db build]
subgraph db_out[ ]
db[(vulnerability.db<br/><small>sqlite</small>)]
end
data_in -->|read| build
build -->|write| db
build:::Application
data_in:::Database@{ shape: db }
db:::Database@{ shape: db }
style data fill:none,stroke:none
style db_out fill:none,stroke:none
classDef Application fill:#e1ffe1,stroke:#424242,stroke-width:1px
classDef Database stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000flowchart LR
subgraph db_in[ ]
db[vulnerability.db<br/><small>sqlite</small>]
end
package[grype-db package]
subgraph archive_out[ ]
archive[[vulnerability-db-DATE.tar.gz]]
end
db -->|read| package
package -->|write| archive
package:::Application
db:::Database@{ shape: db }
archive:::Database@{ shape: document }
style db_in fill:none,stroke:none
style archive_out fill:none,stroke:none
classDef Application fill:#e1ffe1,stroke:#424242,stroke-width:1px
classDef Database stroke-width:1px, stroke-dasharray:none, stroke:#424242, fill:#fff9c4, color:#000000For more information about how Grype DB uses Vunnel see the Grype DB Architecture page.
A “Provider” is the core abstraction for Vunnel and represents a single source of vulnerability data. Vunnel is a CLI wrapper around multiple vulnerability data providers.
All provider implementations should:
src/vunnel/providers in their own directory (e.g. the NVD provider code is under src/vunnel/providers/nvd/...)Provider interfacesrc/vunnel/providers/__init__.pyEach provider has a “workspace” directory within the “vunnel root” directory (defaults to ./data) named after the provider.
data/ # the "vunnel root" directory
└── alpine/ # the provider workspace directory
├── input/ # any file that needs to be downloaded and referenced should be stored here
├── results/ # schema-compliant vulnerability results (1 record per file)
├── checksums # listing of result file checksums (xxh64 algorithm)
└── metadata.json # metadata about the input and result files
The metadata.json and checksums are written out after all results are written to results/. An example metadata.json:
{
"provider": "amazon",
"urls": ["https://alas.aws.amazon.com/AL2022/alas.rss"],
"listing": {
"digest": "dd3bb0f6c21f3936",
"path": "checksums",
"algorithm": "xxh64"
},
"timestamp": "2023-01-01T21:20:57.504194+00:00",
"schema": {
"version": "1.0.0",
"url": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/provider-workspace-state/schema-1.0.0.json"
}
}
Where:
provider: the name of the provider that generated the resultsurls: the URLs that were referenced to generate the resultslisting: the path to the checksums listing file that lists all of the results, the checksum of that file, and the algorithm used to checksum the file (and the same algorithm used for all contained checksums)timestamp: the point in time when the results were generated or last updatedschema: the data shape that the current file conforms toAll results from a provider are handled by a common base class helper (provider.Provider.results_writer()) and is driven by the application configuration (e.g. JSON flat files or SQLite database). The data shape of the results are self-describing via an envelope with a schema reference.
For example:
{
"schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json",
"identifier": "3.3/cve-2015-8366",
"item": {
"Vulnerability": {
"Severity": "Unknown",
"NamespaceName": "alpine:3.3",
"FixedIn": [
{
"VersionFormat": "apk",
"NamespaceName": "alpine:3.3",
"Name": "libraw",
"Version": "0.17.1-r0"
}
],
"Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366",
"Description": "",
"Metadata": {},
"Name": "CVE-2015-8366",
"CVSS": []
}
}
}
Where:
schema field is a URL to the schema that describes the data shape of the item fieldidentifier field should have a unique identifier within the context of the provider resultsitem field is the actual vulnerability data, and the shape of this field is defined by the schemaNote that the identifier is 3.3/cve-2015-8366 and not just cve-2015-8366 in order to uniquely identify cve-2015-8366 as applied to the alpine 3.3 distro version among other records in the results directory.
Currently only JSON payloads are supported.
Possible vulnerability schemas supported within the vunnel repo are:
If at any point a breaking change needs to be made to a provider (and say the schema remains the same), then you can set the __version__ attribute on the provider class to a new integer value (incrementing from 1 onwards). This is a way to indicate that the cached input/results are not compatible with the output of the current version of the provider, in which case the next invocation of the provider will delete the previous input and results before running.
Each provider has a configuration object defined next to the provider class. This object is used in the vunnel application configuration and is passed as input to the provider class. Take the debian provider configuration for example:
from dataclasses import dataclass, field
from vunnel import provider, result
@dataclass
class Config:
runtime: provider.RuntimeConfig = field(
default_factory=lambda: provider.RuntimeConfig(
result_store=result.StoreStrategy.SQLITE,
existing_results=provider.ResultStatePolicy.DELETE_BEFORE_WRITE,
),
)
request_timeout: int = 125
Every provider configuration must:
dataclassruntime field that is a provider.RuntimeConfig fieldThe runtime field is used to configure common behaviors of the provider that are enforced within the vunnel.provider.Provider subclass.
on_error: what to do when the provider fails
action: choose to fail, skip, or retry when the failure occursretry_count: the number of times to retry the provider before failing (only applicable when action is retry)retry_delay: the number of seconds to wait between retries (only applicable when action is retry)input: what to do about the input data directory on failure (such as keep or delete)results: what to do about the results data directory on failure (such as keep or delete)existing_results: what to do when the provider is run again and the results directory already exists
delete-before-write: delete the existing results just before writing the first processed (new) resultdelete: delete existing results before running the providerkeep: keep the existing resultsexisting_input: what to do when the provider is run again and the input directory already exists
delete: delete the existing input before running the providerkeep: keep the existing inputresult_store: where to store the results
sqlite: store results as key-value form in a SQLite database, where keys are the record identifiers values are the json vulnerability recordsflat-file: store results in JSON files named after the record identifiersAny provider-specific config options can be added to the configuration object as needed (such as request_timeout, which is a common field).
For more details on how Grype DB uses Vunnel output, see the Grype DB Architecture page.
Almost every Thursday the OSS team holds a “Gardening” live stream on the Anchore YouTube channel. Each week, we announce what time the live stream is happening in the Announcements on Discourse.
The streams are recorded and archived in our Live stream playlist.
We hold open meetings with the community, on alternate Thursdays. These are on Zoom, and are not recorded or streamed. There is an optional agenda which can be filled in. Everyone is welcome. A webcam is not required.
Anchore has a separate Events page, for announcing industry & corporate events, and webinars.
Our tools are used by organisations and developer teams of all sizes. Below is a small sample of users of our tools, in public GitHub repositories.
More organisations below are all adopters of our tools, in public GitHub repositories.
| Repository | Stars |
|---|---|
 derailed / k9s | 31025 |
 kubescape / kubescape | 10979 |
 anchore / grype | 10629 |
 deepfence / ThreatMapper | 5142 |
 zarf-dev / zarf | 1651 |
 vdaas / vald | 1636 |
 helm / chart-testing | 1561 |
 lunasec-io / lunasec | 1456 |
 openclarity / openclarity | 1427 |
 guacsec / guac | 1406 |
 SAP / jenkins-library | 800 |
| helm / chart-releaser | 760 |
 safedep / vet | 729 |
 in-toto / witness | 494 |
 xeol-io / xeol | 409 |
 project-stacker / stacker | 289 |
 slsa-framework / slsa-verifier | 282 |
 ckotzbauer / sbom-operator | 206 |
 gitpod-io / leeway | 169 |
 go-sigma / sigma | 167 |
 docker / sbom-cli-plugin | 156 |
 vulncheck-oss / cli | 139 |
 agntcy / dir | 108 |
| anchore / grant | 104 |
| ckotzbauer / vulnerability-operator | 85 |
 wolfi-dev / wolfictl | 67 |
| agntcy / workflow-srv-mgr | 60 |
 Checkmarx / ast-cli | 57 |
 bottlerocket-os / bottlerocket-sdk | 56 |
 sammcj / mcp-devtools | 55 |
| anchore / grype-db | 54 |
| Repository | Stars |
|---|---|
| derailed / k9s | 31025 |
| kubescape / kubescape | 10979 |
| deepfence / ThreatMapper | 5142 |
| zarf-dev / zarf | 1651 |
| vdaas / vald | 1636 |
| lunasec-io / lunasec | 1456 |
| openclarity / openclarity | 1427 |
| xeol-io / xeol | 409 |
| slsa-framework / slsa-verifier | 282 |
| gitpod-io / leeway | 169 |
| ckotzbauer / vulnerability-operator | 85 |
| wolfi-dev / wolfictl | 67 |
| sammcj / mcp-devtools | 55 |
| anchore / grype-db | 54 |
Generated using github-dependents-info, by Nicolas Vuillamy"
Below are platforms maintained and monitored by Anchore OSS Team staff.
We have an official community Discourse for discussion of the Anchore OSS tools.
We post OSS and Anchore Enterprise related content on our YouTube channel.
Find and engage with us on various social media platforms.
| Mastodon | BlueSky | X | |
|---|---|---|---|
| Syft | @syft@fosstodon.org | @syftproject.bsky.social | @syftproject |
| Grype | @grype@fosstodon.org | @grypeproject.bsky.social | @grypeproject |
| Anchore | @anchore@mstdn.business | @anchore.com | @anchore |
In Syft’s JSON output format, “artifacts” refers to the array of software packages discovered during scanning. Each artifact represents a single package (library, application, OS package, etc.) with its metadata, version, licenses, locations, and identifiers like CPE and PURL. This is distinct from general software artifacts like binaries or container images.
Related documentation: Working with Syft JSON
A cryptographically signed statement about a software artifact that provides verifiable claims about its properties, such as provenance, build process, or security scan results. Attestations establish trust in the software supply chain by allowing you to verify that an SBOM truly represents a specific artifact or that vulnerability scan results are authentic.
Why it matters: Attestations enable you to verify the authenticity and integrity of SBOMs generated by Syft and vulnerability reports from Grype, ensuring they haven’t been tampered with.
A cataloger is a component within Syft that specializes in discovering and extracting package information from specific ecosystems or file formats.
Each cataloger knows how to find and parse packages for a particular type (e.g., apk-cataloger for Alpine packages, npm-cataloger for Node.js packages).
When Syft scans a target, it runs multiple catalogers to comprehensively discover all software components.
Why it matters: The foundBy field in Syft’s JSON output tells you which cataloger discovered each package, which can help debug why certain packages appear in your SBOM or troubleshoot scanning issues.
Related documentation: Working with Syft JSON
A lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, runtime, system tools, libraries, and settings. Container images are built from layers and typically run using container runtimes like Docker or containerd. See also OCI.
Why it matters: Both Syft and Grype can scan container images directly without requiring them to be running. Syft generates SBOMs from container images, and Grype scans them for vulnerabilities.
Related documentation: SBOM Generation, Vulnerability Scanning
Common Platform Enumeration (CPE) is a standardized method for describing and identifying software applications, operating systems, and hardware devices. CPEs are used in vulnerability databases to match software components with known vulnerabilities.
Formats:
cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}cpe:2.3:{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}:{sw_edition}:{target_sw}:{target_hw}:{other}cpe:2.3:wfn:[attributes]Examples:
cpe:/a:mozilla:firefox:68.0::~~~en-us~~cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*wfn:[part="a", vendor="microsoft", product="internet_explorer",version="8\.0\.6001", update="beta", edition=ANY, language=ANY]Why it matters: Syft generates CPEs for discovered packages (from the NVD dictionary or synthetic generation), which Grype then uses to match packages against vulnerability data. Understanding CPEs helps you troubleshoot why certain vulnerabilities are or aren’t being detected relative to vulnerabilities from NVD.
External resources:
Related documentation: Working with Syft JSON
Common Vulnerabilities and Exposures (CVE) is a standardized identifier for publicly known security vulnerabilities. Each CVE ID uniquely identifies a specific vulnerability and provides a common reference point for discussing and tracking security issues.
Format example: CVE-2024-12345
Why it matters: Grype reports vulnerabilities by their CVE IDs, making it easy to research specific issues, understand their impact, and find remediation guidance. Each match in a Grype scan references one or more CVE IDs.
External resources:
Related documentation: Vulnerability Scanning
Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS (base) scores range from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities.
Severity ranges:
There are more dimensions to CVSS, including Temporal and Environmental scores, but the Base score is the most commonly used as a way to quickly assess severity.
Why it matters: Grype uses CVSS scores to categorize vulnerability severity, helping you prioritize which issues to fix first. You can filter Grype results by severity level to focus on the most critical vulnerabilities.
External resources:
Related documentation: Vulnerability Scanning
CycloneDX is an open-source standard for creating Software Bill of Materials (SBOMs), supporting JSON and XML representations.
Why it matters: Syft can generate SBOMs in CycloneDX format (-o cyclonedx-json or -o cyclonedx-xml), which is widely supported by security tools and compliance platforms.
Grype can also scan CycloneDX SBOMs for vulnerabilities.
External resources:
Related documentation: SBOM Generation
A software component that another piece of software relies on to function. Dependencies can be direct (explicitly required by your code) or transitive (required by your dependencies). Understanding and tracking dependencies is crucial for security and license compliance.
Why it matters: Syft catalogs both direct and transitive dependencies in your software, creating a complete inventory. Grype then scans all dependencies for vulnerabilities, not just your direct dependencies—important because transitive dependencies often contain hidden security risks.
Short for “distribution”, referring to a specific Linux distribution like Alpine, Ubuntu, Debian, or Red Hat. The distro information includes the distribution name and version (e.g., “alpine 3.18”).
Why it matters: Grype uses distro information to match OS packages against the correct vulnerability database.
Syft automatically detects the distro from files like /etc/os-release and includes it in the SBOM, ensuring accurate vulnerability matching.
Related documentation: Working with Syft JSON
Docker is a platform for developing, shipping, and running applications in containers. While Docker is a specific implementation, the term is often used colloquially to refer to container technology in general. See Container image and OCI.
Why it matters: Syft and Grype can pull and scan images directly from Docker registries or analyze images in your local Docker daemon without needing Docker to be installed.
External resources:
In software, an ecosystem refers to a package management system and its associated community, tools, and conventions. Examples include npm (JavaScript), PyPI (Python), Maven Central (Java), and RubyGems (Ruby). Different ecosystems have different package formats, naming conventions, and vulnerability data sources.
Why it matters: Syft supports dozens of package ecosystems, and each uses a different cataloger. The ecosystem determines how packages are identified (PURL type), which metadata is captured, and which vulnerability data sources Grype uses for matching.
Related documentation: SBOM Generation
Exploit Prediction Scoring System (EPSS) is a data-driven framework that estimates the probability that a software vulnerability will be exploited in the wild within the next 30 days.
EPSS provides two complementary metrics:
Unlike CVSS which measures theoretical severity, EPSS predicts actual exploitation probability by analyzing factors like available exploits, social media activity, and observed attacks (among other signals).
Why it matters: EPSS helps you prioritize vulnerabilities more effectively than severity alone. A critical CVSS vulnerability with a low EPSS score might be less urgent than a medium severity issue with a high EPSS score. Grype can display EPSS scores alongside CVSS to help you focus remediation efforts on vulnerabilities that are both severe and likely to be exploited.
External resources:
Related documentation: Vulnerability Scanning
In the context of scanning for vulnerabilities, a false positive is a vulnerability-package match reported by a scanner that doesn’t actually affect the software package in question. False positives can occur due to incorrect CPE matching, version misidentification, or when a vulnerability applies to one variant of a package but not another.
Why it matters: When Grype reports a false positive, you can use VEX documents or Grype’s ignore rules to suppress it, preventing alert fatigue and focusing on real security issues. If you believe a match is incorrect, you can report it on GitHub to help improve Grype for everyone.
In the context of scanning for vulnerabilities, a false negative occurs when a scanner fails to detect a vulnerability that actually affects a software package. False negatives can happen when vulnerability data is incomplete, when a package uses non-standard naming or versioning, when CPE or PURL identifiers don’t match correctly, or when the vulnerability database hasn’t been updated yet.
Why it matters: False negatives are more dangerous than false positives because they create a false sense of security. To minimize false negatives, keep Grype’s vulnerability database updated regularly and understand that no scanner catches 100% of vulnerabilities—defense in depth and multiple security controls are essential.
Known Exploited Vulnerability (KEV) is a designation for vulnerabilities that have been confirmed as actively exploited in real-world attacks. CISA (Cybersecurity and Infrastructure Security Agency) maintains the authoritative KEV catalog, which lists CVEs with evidence of active exploitation and provides binding operational directives for federal agencies.
The CISA KEV catalog includes:
Vulnerabilities are added to the KEV catalog based on reliable evidence of active exploitation, such as public reporting, threat intelligence, or incident response data.
Why it matters: KEV status is a strong signal for prioritization—these vulnerabilities are being actively exploited right now. When Grype identifies a vulnerability that’s on the CISA KEV list, you should treat it as urgent regardless of CVSS score. A medium-severity KEV vulnerability poses more immediate risk than a critical-severity vulnerability that’s never been exploited. Some organizations make KEV remediation mandatory within tight timeframes (e.g., 15 days for critical KEVs).
External resources:
Related documentation: Vulnerability Scanning
Container images are built as a series of filesystem layers, where each layer represents changes from a Dockerfile instruction. Layers are stacked together to create the final filesystem.
Why it matters: By default, Syft scans only the “squashed” view of an image (what you’d see if the container were running).
Use --scope all-layers to scan all layers, which can reveal packages that were installed then deleted, potentially exposing vulnerabilities in build-time dependencies.
Related documentation: SBOM Generation
A legal instrument governing the use and distribution of software. Software licenses range from permissive (MIT, Apache) to copyleft (GPL) to proprietary.
Why it matters: Syft extracts license information from packages and includes it in SBOMs, helping you ensure compliance with open source licenses and identify packages with incompatible or restricted licenses.
Related documentation: License Compliance
A match is a vulnerability finding in Grype’s output, representing a single package-vulnerability pair. Each match indicates that a specific package version is affected by a particular CVE.
Related documentation: Vulnerability Scanning
A matcher is a component within Grype that compares package information against vulnerability data using specific matching strategies. Different matchers handle different package types or ecosystems (e.g., distro matcher for OS packages, language matcher for application dependencies).
Why it matters: Grype uses multiple matchers to ensure comprehensive vulnerability coverage. The matcher used for each finding is included in detailed output, helping you understand how the match was made.
National Vulnerability Database (NVD) is the U.S. government repository known software vulnerabilities. It provides comprehensive vulnerability information including CVE IDs, CVSS scores, and affected software configurations. The NVD is maintained by NIST.
Why it matters: The NVD is one of the primary vulnerability data sources used by Grype. Syft also uses the NVD’s CPE dictionary to generate CPEs for packages, enabling accurate vulnerability matching.
External resources:
Related documentation: Vulnerability Scanning
Open Container Initiative (OCI) is an open governance structure for creating industry standards around container formats and runtimes. The OCI Image Specification defines the standard format for container images, ensuring interoperability across different container tools and platforms.
Why it matters: Syft and Grype work with OCI-compliant images from any registry (Docker Hub, GitHub Container Registry, Amazon ECR, etc.), not just Docker images. They can read images in OCI layout format directly from disk.
External resources:
A bundle of software that can be installed and managed by a package manager. Packages typically include the software itself, metadata (like version and dependencies), and installation instructions. Packages are the fundamental units tracked in an SBOM.
Why it matters: Every entry in a Syft-generated SBOM represents a package. Grype matches packages against vulnerability data to find security issues. Understanding what constitutes a “package” in different ecosystems helps you interpret SBOM contents.
A tool that automates the process of installing, upgrading, configuring, and removing software packages. Examples include npm, pip, apt, yum, and Maven. Package managers maintain repositories of available packages and handle dependency resolution.
Why it matters: Syft discovers packages by reading package manager metadata files (like package.json, requirements.txt, or /var/lib/dpkg/status).
Each package manager stores information differently, which is why Syft needs ecosystem-specific catalogers.
Information about the origin and build process of a software artifact, including who built it, when, from what source code, and using what tools. Build provenance helps verify that software was built as expected and hasn’t been tampered with.
Why it matters: SBOMs generated by Syft during builds can be combined with provenance information to create comprehensive supply chain attestations, enabling you to verify both what’s in your software and how it was built.
External resources:
Package URL (PURL) is a standardized way to identify and locate software packages across different package managers and ecosystems. PURLs provide a uniform identifier that works across different systems.
Format: pkg:type/namespace/name@version?qualifiers#subpath
Example: pkg:npm/lodash@4.17.21
Why it matters: Syft generates PURLs for all discovered packages, and Grype uses PURLs as one of the primary identifiers for vulnerability matching. PURLs provide a consistent way to refer to packages across different SBOM formats.
External resources:
Related documentation: Working with Syft JSON
In Syft’s JSON output, relationships describe connections between artifacts (packages), files, and sources (what was scanned). For example, a relationship might indicate that a file is “contained-by” a package, or that one package “depends-on” another.
Why it matters: Relationships provide the graph structure of your software, showing not just what packages exist but how they’re connected. This is essential for understanding dependency chains and reachability analysis.
Related documentation: Working with Syft JSON
Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and modules that make up a piece of software. Like a list of ingredients on food packaging, an SBOM provides transparency into what’s included in your software, enabling security analysis, license compliance, and supply chain risk management.
Why it matters: Syft generates SBOMs that you can use with Grype for vulnerability scanning, share with customers for transparency, or use for license compliance. SBOMs are becoming required by regulations and standards like Executive Order 14028.
External resources:
Related documentation: SBOM Generation
A classification of how serious a vulnerability is, typically based on CVSS scores. Common severity levels are Critical, High, Medium, Low, and Negligible (or None).
Why it matters: Grype reports vulnerability severity to help you prioritize remediation efforts. You can filter Grype output by severity (e.g., --fail-on high to fail CI builds for high or critical vulnerabilities).
Related documentation: Vulnerability Scanning
The software supply chain encompasses all the components, processes, and steps involved in creating, building, and delivering software. This includes source code, dependencies, build tools, CI/CD pipelines, and distribution mechanisms. Securing the software supply chain helps prevent attacks that target the development and delivery process.
Why it matters: Syft and Grype are key tools in supply chain security. Syft provides visibility into what’s in your software (SBOM), and Grype identifies known vulnerabilities, helping you secure each link in the chain.
In Syft’s JSON output, the “source” object describes what was scanned—whether it was a container image, directory, file archive, or other input. It includes details like image name, digest, and tags.
Why it matters: The source information helps you correlate SBOMs with specific artifacts, especially important when tracking multiple image versions or builds.
Related documentation: Working with Syft JSON
Software Package Data Exchange (SPDX) is an open standard for communicating software bill of materials information, including components, licenses, copyrights, and security references. SPDX is an ISO/IEC standard (ISO/IEC 5962:2021) and supports multiple formats including JSON, YAML, XML, and tag-value.
Why it matters: Syft can generate SBOMs in SPDX format (-o spdx-json or -o spdx-tag-value), which is widely supported by compliance tools and required by many organizations and regulations.
Grype can also scan SPDX SBOMs for vulnerabilities.
External resources:
Related documentation: SBOM Generation
The “squashed” view of a container image represents the final filesystem that would be visible if you ran the container. It’s the result of applying all image layers in sequence, where later layers can override or delete files from earlier layers.
Why it matters: Syft scans the squashed view by default (what you actually run), but you can use --scope all-layers to also see packages that existed in intermediate layers but were deleted before the final image.
Related documentation: SBOM Generation
Vulnerability Exploitability eXchange (VEX) is a series of formats for communicating information about the exploitability status of vulnerabilities in software products. VEX documents allow software vendors to provide context about whether identified vulnerabilities actually affect their product, helping users prioritize remediation efforts.
Why it matters: Grype can consume VEX documents to suppress false positives or provide additional context about vulnerabilities. When Grype reports a vulnerability that doesn’t actually affect your application, you can create a VEX document explaining why it’s not exploitable.
External resources:
Related documentation: Vulnerability Scanning
A security weakness, flaw, or defect in software that can be exploited by an attacker to perform unauthorized actions, compromise systems, steal data, or cause harm. Vulnerabilities can arise from coding errors, design flaws, misconfigurations, or outdated dependencies with known security issues.
Not all vulnerabilities affect all users of a package. Whether a vulnerability impacts you depends on:
Why it matters: Grype identifies vulnerabilities in the packages discovered by Syft, enabling you to find and fix security issues before they can be exploited. Not all vulnerabilities are equally serious—use severity ratings (CVSS) and exploitation probability (EPSS) to prioritize fixes. Understanding the context of a vulnerability helps you assess real risk rather than just responding to every CVE.
External resources:
Related documentation: Vulnerability Scanning
A repository of known security vulnerabilities, their affected software versions, severity scores, and remediation information. Vulnerability databases aggregate data from multiple sources like NVD, security advisories, and vendor bulletins.
Why it matters: Grype downloads and maintains a local vulnerability database that’s updated daily. The database quality directly impacts scan accuracy—Grype uses curated, high-quality data from multiple providers to minimize false positives and false negatives.
Related documentation: Vulnerability Database
A tool that identifies known security vulnerabilities in software by comparing components against vulnerability databases. Vulnerability scanners like Grype analyze software artifacts (container images, filesystems, or SBOMs) and report potential security issues that should be addressed.
Why it matters: Grype is a vulnerability scanner that works seamlessly with Syft-generated SBOMs. You can scan images directly with Grype, or generate an SBOM with Syft first and scan it separately, enabling workflows where SBOMs are generated once and scanned multiple times as new vulnerabilities are discovered.
Related documentation: Vulnerability Scanning