This is the multi-page printable view of this section. Click here to print.
Reference
Reference for Anchore OSS Tools
1 - Syft Command Line Reference
Note
This documentation was generated with Syft version1.38.0.Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems
Usage:
syft [SOURCE] [flags]
syft [command]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Available Commands:
attest Generate an SBOM as an attestation for the given [SOURCE] container image
cataloger Show available catalogers and configuration
completion Generate the autocompletion script for the specified shell
config show the syft configuration
convert Convert between SBOM formats
help Help about any command
login Log in to a registry
scan Generate an SBOM
version show version information
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-c, --config stringArray syft configuration file(s) to use
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for syft
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for syft
Use "syft [command] --help" for more information about a command.
syft attest
Generate a packaged-based Software Bill Of Materials (SBOM) from a container image as the predicate of an in-toto attestation that will be uploaded to the image registry.
Usage:
syft attest --output [FORMAT] <IMAGE> [flags]
Examples:
syft attest --output [FORMAT] alpine:latest defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry
You can also explicitly specify the scheme to use:
syft attest docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft attest podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft attest registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft attest docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft attest oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft attest oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft attest singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
--exclude stringArray exclude paths from being scanned using a glob expression
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for attest
-k, --key string the key to use for the attestation
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
syft cataloger list
List available catalogers.
Usage:
syft cataloger list [OPTIONS] [flags]
Flags:
-h, --help help for list
-o, --output string format to output the cataloger list (available: table, json)
--override-default-catalogers stringArray override the default catalogers with an expression (default [all])
--select-catalogers stringArray select catalogers with an expression
-s, --show-hidden show catalogers that have been de-selected
syft config
Show the syft configuration.
Usage:
syft config [flags]
syft config [command]
Available Commands:
locations shows all locations and the order in which syft will look for a configuration file
Flags:
-h, --help help for config
--load load and validate the syft configuration
syft convert
[Experimental] Convert SBOM files to, and from, SPDX, CycloneDX and Syft’s format. For more info about data loss between formats see https://github.com/anchore/syft/wiki/format-conversion.
Usage:
syft convert [SOURCE-SBOM] -o [FORMAT] [flags]
Examples:
syft convert img.syft.json -o spdx-json convert a syft SBOM to spdx-json, output goes to stdout
syft convert img.syft.json -o cyclonedx-json=img.cdx.json convert a syft SBOM to CycloneDX, output is written to the file "img.cdx.json"
syft convert - -o spdx-json convert an SBOM from STDIN to spdx-json
Flags:
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
-h, --help help for convert
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
-t, --template string specify the path to a Go template file
syft login
Log in to a registry.
Usage:
syft login [OPTIONS] [SERVER] [flags]
Examples:
# Log in to reg.example.com
syft login reg.example.com -u AzureDiamond -p hunter2
Flags:
-h, --help help for login
-p, --password string Password
--password-stdin Take the password from stdin
-u, --username string Username
syft scan
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems.
Usage:
syft scan [SOURCE] [flags]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript, python)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for scan
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
syft version
Show version information.
Usage:
syft version [flags]
Flags:
-h, --help help for version
-o, --output string the format to show the results (allowable: [text json]) (default "text")
2 - Syft Configuration Reference
Note
This documentation was generated with Syft version1.38.0.Syft searches for configuration files in the following locations, in order:
./.syft.yaml- current working directory./.syft/config.yaml- app subdirectory in current working directory~/.syft.yaml- home directory$XDG_CONFIG_HOME/syft/config.yaml- XDG config directory
The configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
For general information about how config and environment variables are handled, see the Configuration Reference section.
log:
# suppress all logging output (env: SYFT_LOG_QUIET)
quiet: false
# increase verbosity (-v = info, -vv = debug) (env: SYFT_LOG_VERBOSITY)
verbosity: 0
# explicitly set the logging level (available: [error warn info debug trace]) (env: SYFT_LOG_LEVEL)
level: "warn"
# file path to write logs to (env: SYFT_LOG_FILE)
file: ""
dev:
# capture resource profiling data (available: [cpu, mem]) (env: SYFT_DEV_PROFILE)
profile: ""
# the configuration file(s) used to load application configuration (env: SYFT_CONFIG)
config: ""
# the output format(s) of the SBOM report (options: syft-table, syft-text, syft-json, spdx-json, ...)
# to specify multiple output files in differing formats, use a list:
# output:
# - "syft-json=<syft-json-output-file>"
# - "spdx-json=<spdx-json-output-file>" (env: SYFT_OUTPUT)
output:
- "syft-table"
# file to write the default report output to (default is STDOUT) (env: SYFT_LEGACYFILE)
legacyFile: ""
format:
# default value for all formats that support the "pretty" option (default is unset) (env: SYFT_FORMAT_PRETTY)
pretty:
template:
# path to the template file to use when rendering the output with the template output format.
# Note that all template paths are based on the current syft-json schema (env: SYFT_FORMAT_TEMPLATE_PATH)
path: ""
# if true, uses the go structs for the syft-json format for templating.
# if false, uses the syft-json output for templating (which follows the syft JSON schema exactly).
#
# Note: long term support for this option is not guaranteed (it may change or break at any time) (env: SYFT_FORMAT_TEMPLATE_LEGACY)
legacy: false
json:
# transform any syft-json output to conform to an approximation of the v11.0.1 schema. This includes:
# - using the package metadata type names from before v12 of the JSON schema (changed in https://github.com/anchore/syft/pull/1983)
#
# Note: this will still include package types and fields that were added at or after json schema v12. This means
# that output might not strictly be json schema v11 compliant, however, for consumers that require time to port
# over to the final syft 1.0 json output this option can be used to ease the transition.
#
# Note: long term support for this option is not guaranteed (it may change or break at any time) (env: SYFT_FORMAT_JSON_LEGACY)
legacy: false
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_JSON_PRETTY)
pretty:
spdx-json:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_SPDX_JSON_PRETTY)
pretty:
cyclonedx-json:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_CYCLONEDX_JSON_PRETTY)
pretty:
cyclonedx-xml:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_CYCLONEDX_XML_PRETTY)
pretty:
# whether to check for an application update on start up or not (env: SYFT_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# enable one or more package catalogers (env: SYFT_CATALOGERS)
catalogers: []
# set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source) (env: SYFT_DEFAULT_CATALOGERS)
default-catalogers: []
# add, remove, and filter the catalogers to be used (env: SYFT_SELECT_CATALOGERS)
select-catalogers: []
package:
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger (env: SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES)
search-unindexed-archives: false
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger (env: SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES)
search-indexed-archives: true
# allows users to exclude synthetic binary packages from the sbom
# these packages are removed if an overlap with a non-synthetic package is found (env: SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
exclude-binary-overlap-by-ownership: true
license:
# include the content of licenses in the SBOM for a given syft scan; valid values are: [all unknown none] (env: SYFT_LICENSE_CONTENT)
content: "none"
# adjust the percent as a fraction of the total text, in normalized words, that
# matches any valid license for the given inputs, expressed as a percentage across all of the licenses matched. (env: SYFT_LICENSE_COVERAGE)
coverage: 75
file:
metadata:
# select which files should be captured by the file-metadata cataloger and included in the SBOM.
# Options include:
# - "all": capture all files from the search space
# - "owned-by-package": capture only files owned by packages
# - "none", "": do not capture any files (env: SYFT_FILE_METADATA_SELECTION)
selection: "owned-by-package"
# the file digest algorithms to use when cataloging files (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_FILE_METADATA_DIGESTS)
digests:
- "sha1"
- "sha256"
content:
# skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes) (env: SYFT_FILE_CONTENT_SKIP_FILES_ABOVE_SIZE)
skip-files-above-size: 256000
# file globs for the cataloger to match on (env: SYFT_FILE_CONTENT_GLOBS)
globs: []
executable:
# file globs for the cataloger to match on (env: SYFT_FILE_EXECUTABLE_GLOBS)
globs: []
# selection of layers to catalog, options=[squashed all-layers deep-squashed] (env: SYFT_SCOPE)
scope: "squashed"
# number of cataloger workers to run in parallel
# by default, when set to 0: this will be based on runtime.NumCPU * 4, if set to less than 0 it will be unbounded (env: SYFT_PARALLELISM)
parallelism: 0
relationships:
# include package-to-file relationships that indicate which files are owned by which packages (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP)
package-file-ownership: true
# include package-to-package relationships that indicate one package is owned by another due to files claimed to be owned by one package are also evidence of another package's existence (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP_OVERLAP)
package-file-ownership-overlap: true
compliance:
# action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
missing-name: "drop"
# action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
missing-version: "stub"
# Enable data enrichment operations, which can utilize services such as Maven Central and NPM.
# By default all enrichment is disabled, use: all to enable everything.
# Available options are: all, golang, java, javascript, python (env: SYFT_ENRICH)
enrich: []
dotnet:
# only keep dep.json packages which an executable on disk is found. The package is also included if a DLL is found for any child package, even if the package itself does not have a DLL. (env: SYFT_DOTNET_DEP_PACKAGES_MUST_HAVE_DLL)
dep-packages-must-have-dll: false
# only keep dep.json packages which have a runtime/resource DLL claimed in the deps.json targets section (but not necessarily found on disk). The package is also included if any child package claims a DLL, even if the package itself does not claim a DLL. (env: SYFT_DOTNET_DEP_PACKAGES_MUST_CLAIM_DLL)
dep-packages-must-claim-dll: true
# treat DLL claims or on-disk evidence for child packages as DLL claims or on-disk evidence for any parent package (env: SYFT_DOTNET_PROPAGATE_DLL_CLAIMS_TO_PARENTS)
propagate-dll-claims-to-parents: true
# show all packages from the deps.json if bundling tooling is present as a dependency (e.g. ILRepack) (env: SYFT_DOTNET_RELAX_DLL_CLAIMS_WHEN_BUNDLING_DETECTED)
relax-dll-claims-when-bundling-detected: true
golang:
# search for go package licences in the GOPATH of the system running Syft, note that this is outside the
# container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
search-local-mod-cache-licenses:
# specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
local-mod-cache-dir: "~/go/pkg/mod"
# search for go package licences in the vendor folder on the system running Syft, note that this is outside the
# container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_VENDOR_LICENSES)
search-local-vendor-licenses:
# specify an explicit go vendor directory, if unset this defaults to ./vendor (env: SYFT_GOLANG_LOCAL_VENDOR_DIR)
local-vendor-dir: ""
# search for go package licences by retrieving the package from a network proxy (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# remote proxy to use when retrieving go packages from the network,
# if unset this defaults to $GOPROXY followed by https://proxy.golang.org (env: SYFT_GOLANG_PROXY)
proxy: "https://proxy.golang.org,direct"
# specifies packages which should not be fetched by proxy
# if unset this defaults to $GONOPROXY (env: SYFT_GOLANG_NO_PROXY)
no-proxy: ""
main-module-version:
# look for LD flags that appear to be setting a version (e.g. -X main.version=1.0.0) (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_LD_FLAGS)
from-ld-flags: true
# search for semver-like strings in the binary contents (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_CONTENTS)
from-contents: false
# use the build settings (e.g. vcs.version & vcs.time) to craft a v0 pseudo version
# (e.g. v0.0.0-20220308212642-53e6d0aaf6fb) when a more accurate version cannot be found otherwise (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_BUILD_SETTINGS)
from-build-settings: true
java:
# enables Syft to use the network to fetch version and license information for packages when
# a parent or imported pom file is not found in the local maven repository.
# the pom files are downloaded from the remote Maven repository at 'maven-url' (env: SYFT_JAVA_USE_NETWORK)
use-network:
# use the local Maven repository to retrieve pom files. When Maven is installed and was previously used
# for building the software that is being scanned, then most pom files will be available in this
# repository on the local file system. this greatly speeds up scans. when all pom files are available
# in the local repository, then 'use-network' is not needed.
# TIP: If you want to download all required pom files to the local repository without running a full
# build, run 'mvn help:effective-pom' before performing the scan with syft. (env: SYFT_JAVA_USE_MAVEN_LOCAL_REPOSITORY)
use-maven-local-repository:
# override the default location of the local Maven repository.
# the default is the subdirectory '.m2/repository' in your home directory (env: SYFT_JAVA_MAVEN_LOCAL_REPOSITORY_DIR)
maven-local-repository-dir: "~/.m2/repository"
# maven repository to use, defaults to Maven central (env: SYFT_JAVA_MAVEN_URL)
maven-url: "https://repo1.maven.org/maven2"
# depth to recursively resolve parent POMs, no limit if <= 0 (env: SYFT_JAVA_MAX_PARENT_RECURSIVE_DEPTH)
max-parent-recursive-depth: 0
# resolve transient dependencies such as those defined in a dependency's POM on Maven central (env: SYFT_JAVA_RESOLVE_TRANSITIVE_DEPENDENCIES)
resolve-transitive-dependencies: false
javascript:
# enables Syft to use the network to fill in more detailed license information (env: SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# base NPM url to use (env: SYFT_JAVASCRIPT_NPM_BASE_URL)
npm-base-url: ""
# include development-scoped dependencies (env: SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES)
include-dev-dependencies:
linux-kernel:
# whether to catalog linux kernel modules found within lib/modules/** directories (env: SYFT_LINUX_KERNEL_CATALOG_MODULES)
catalog-modules: true
nix:
# enumerate all files owned by packages found within Nix store paths (env: SYFT_NIX_CAPTURE_OWNED_FILES)
capture-owned-files: false
python:
# enables Syft to use the network to fill in more detailed license information (env: SYFT_PYTHON_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# base Pypi url to use (env: SYFT_PYTHON_PYPI_BASE_URL)
pypi-base-url: ""
# when running across entries in requirements.txt that do not specify a specific version
# (e.g. "sqlalchemy >= 1.0.0, <= 2.0.0, != 3.0.0, <= 3.0.0"), attempt to guess what the version could
# be based on the version requirements specified (e.g. "1.0.0"). When enabled the lowest expressible version
# when given an arbitrary constraint will be used (even if that version may not be available/published). (env: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS)
guess-unpinned-requirements:
registry:
# skip TLS verification when communicating with the registry (env: SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry (env: SYFT_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
# Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
# - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
# username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
# password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
# token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
# tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
# tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
auth: []
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: SYFT_REGISTRY_CA_CERT)
ca-cert: ""
# specify the source behavior to use (e.g. docker, registry, oci-dir, ...) (env: SYFT_FROM)
from: []
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: SYFT_PLATFORM)
platform: ""
source:
# set the name of the target being analyzed (env: SYFT_SOURCE_NAME)
name: ""
# set the version of the target being analyzed (env: SYFT_SOURCE_VERSION)
version: ""
# the organization that supplied the component, which often may be the manufacturer, distributor, or repackager (env: SYFT_SOURCE_SUPPLIER)
supplier: ""
# (env: SYFT_SOURCE_SOURCE)
source: ""
# base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory (env: SYFT_SOURCE_BASE_PATH)
base-path: ""
file:
# the file digest algorithms to use on the scanned file (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_SOURCE_FILE_DIGESTS)
digests:
- "SHA-256"
image:
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: SYFT_SOURCE_IMAGE_DEFAULT_PULL_SOURCE)
default-pull-source: ""
# (env: SYFT_SOURCE_IMAGE_MAX_LAYER_SIZE)
max-layer-size: ""
# exclude paths from being scanned using a glob expression (env: SYFT_EXCLUDE)
exclude: []
unknowns:
# remove unknown errors on files with discovered packages (env: SYFT_UNKNOWNS_REMOVE_WHEN_PACKAGES_DEFINED)
remove-when-packages-defined: true
# include executables without any identified packages (env: SYFT_UNKNOWNS_EXECUTABLES_WITHOUT_PACKAGES)
executables-without-packages: true
# include archives which were not expanded and searched (env: SYFT_UNKNOWNS_UNEXPANDED_ARCHIVES)
unexpanded-archives: true
cache:
# root directory to cache any downloaded content; empty string will use an in-memory cache (env: SYFT_CACHE_DIR)
dir: "~/.cache/syft"
# time to live for cached data; setting this to 0 will disable caching entirely (env: SYFT_CACHE_TTL)
ttl: "7d"
# show catalogers that have been de-selected (env: SYFT_SHOW_HIDDEN)
show-hidden: false
attest:
# the key to use for the attestation (env: SYFT_ATTEST_KEY)
key: ""
# password to decrypt to given private key
# additionally responds to COSIGN_PASSWORD env var (env: SYFT_ATTEST_PASSWORD)
password: ""
3 - JSON Schema
3.1 - Syft v16 JSON Schema Reference
Complete reference for Syft JSON schema version
16.1.0Document
Represents the syft cataloging findings as a JSON document
| Field Name | Type |
|---|---|
artifacts | Array<Package> |
artifactRelationships | Array<Relationship> |
files | Array<File> |
source | Source |
distro | LinuxRelease |
descriptor | Descriptor |
schema | Schema |
Core Types
CPE
Represents a Common Platform Enumeration identifier used for matching packages to known vulnerabilities in security databases.
| Field Name | Type | Description |
|---|---|---|
cpe | str | Value is the CPE string identifier. |
source | str | Source is the source where this CPE was obtained or generated from. |
ClassifierMatch
Represents a single matched value within a binary file and the "class" name the search pattern represents.
| Field Name | Type |
|---|---|
classifier | str |
location | Location |
Coordinates
Contains the minimal information needed to describe how to find a file within any possible source object (e.g.
| Field Name | Type | Description |
|---|---|---|
path | str | RealPath is the canonical absolute form of the path accessed (all symbolic links have been followed and relative path components like '.' and '..' have been removed). |
layerID | str | FileSystemID is an ID representing and entire filesystem. For container images, this is a layer digest. For directories or a root filesystem, this is blank. |
Descriptor
Identifies the tool that generated this SBOM document, including its name, version, and configuration used during catalog generation.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the name of the tool that generated this SBOM (e.g., "syft"). |
version | str | Version is the version of the tool that generated this SBOM. |
configuration | unknown | Configuration contains the tool configuration used during SBOM generation. |
Digest
Represents a cryptographic hash of file contents.
| Field Name | Type | Description |
|---|---|---|
algorithm | str | Algorithm specifies the hash algorithm used (e.g., "sha256", "md5"). |
value | str | Value is the hexadecimal string representation of the hash. |
ELFSecurityFeatures
Captures security hardening and protection mechanisms in ELF binaries.
| Field Name | Type | Description |
|---|---|---|
symbolTableStripped | bool | SymbolTableStripped indicates whether debugging symbols have been removed. |
stackCanary | bool | StackCanary indicates whether stack smashing protection is enabled. |
nx | bool | NoExecutable indicates whether NX (no-execute) protection is enabled for the stack. |
relRO | str | RelocationReadOnly indicates the RELRO protection level. |
pie | bool | PositionIndependentExecutable indicates whether the binary is compiled as PIE. |
dso | bool | DynamicSharedObject indicates whether the binary is a shared library. |
safeStack | bool | LlvmSafeStack represents a compiler-based security mechanism that separates the stack into a safe stack for storing return addresses and other critical data, and an unsafe stack for everything else, to mitigate stack-based memory corruption errors see https://clang.llvm.org/docs/SafeStack.html |
cfi | bool | ControlFlowIntegrity represents runtime checks to ensure a program's control flow adheres to the legal paths determined at compile time, thus protecting against various types of control-flow hijacking attacks see https://clang.llvm.org/docs/ControlFlowIntegrity.html |
fortify | bool | ClangFortifySource is a broad suite of extensions to libc aimed at catching misuses of common library functions see https://android.googlesource.com/platform//bionic/+/d192dbecf0b2a371eb127c0871f77a9caf81c4d2/docs/clang_fortify_anatomy.md |
Executable
Contains metadata about binary files and their security features.
| Field Name | Type | Description |
|---|---|---|
format | str | Format denotes either ELF, Mach-O, or PE |
hasExports | bool | HasExports indicates whether the binary exports symbols. |
hasEntrypoint | bool | HasEntrypoint indicates whether the binary has an entry point function. |
importedLibraries | Array<str> | ImportedLibraries lists the shared libraries required by this executable. |
elfSecurityFeatures | ELFSecurityFeatures | ELFSecurityFeatures contains ELF-specific security hardening information when Format is ELF. |
File
Represents a file discovered during cataloging with its metadata, content digests, licenses, and relationships to packages.
| Field Name | Type | Description |
|---|---|---|
id | str | ID is a unique identifier for this file within the SBOM. |
location | Coordinates | Location is the file path and layer information where this file was found. |
metadata | FileMetadataEntry | Metadata contains filesystem metadata such as permissions, ownership, and file type. |
contents | str | Contents is the file contents for small files. |
digests | Array<Digest> | Digests contains cryptographic hashes of the file contents. |
licenses | Array<FileLicense> | Licenses contains license information discovered within this file. |
executable | Executable | Executable contains executable metadata if this file is a binary. |
unknowns | Array<str> | Unknowns contains unknown fields for forward compatibility. |
FileLicense
Represents license information discovered within a file's contents or metadata, including the matched license text and SPDX expression.
| Field Name | Type | Description |
|---|---|---|
value | str | Value is the raw license identifier or text as found in the file. |
spdxExpression | str | SPDXExpression is the parsed SPDX license expression. |
type | str | Type is the license type classification (e.g., declared, concluded, discovered). |
evidence | FileLicenseEvidence | Evidence contains supporting evidence for this license detection. |
FileLicenseEvidence
Contains supporting evidence for a license detection in a file, including the byte offset, extent, and confidence level.
| Field Name | Type | Description |
|---|---|---|
confidence | int | Confidence is the confidence score for this license detection (0-100). |
offset | int | Offset is the byte offset where the license text starts in the file. |
extent | int | Extent is the length of the license text in bytes. |
FileMetadataEntry
Contains filesystem-level metadata attributes such as permissions, ownership, type, and size for a cataloged file.
| Field Name | Type | Description |
|---|---|---|
mode | int | Mode is the Unix file permission mode in octal format. |
type | str | Type is the file type (e.g., "RegularFile", "Directory", "SymbolicLink"). |
linkDestination | str | LinkDestination is the target path for symbolic links. |
userID | int | UserID is the file owner user ID. |
groupID | int | GroupID is the file owner group ID. |
mimeType | str | MIMEType is the MIME type of the file contents. |
size | int | Size is the file size in bytes. |
KeyValue
Represents a single key-value pair.
| Field Name | Type | Description |
|---|---|---|
key | str | Key is the key name |
value | str | Value is the value associated with the key |
License
Represents software license information discovered for a package, including SPDX expressions and supporting evidence locations.
| Field Name | Type | Description |
|---|---|---|
value | str | Value is the raw license identifier or expression as found. |
spdxExpression | str | SPDXExpression is the parsed SPDX license expression. |
type | str | Type is the license type classification (e.g., declared, concluded, discovered). |
urls | Array<str> | URLs are URLs where license text or information can be found. |
locations | Array<Location> | Locations are file locations where this license was discovered. |
contents | str | Contents is the full license text content. |
LinuxKernelModuleParameter
Represents a configurable parameter for a kernel module with its type and description.
| Field Name | Type | Description |
|---|---|---|
type | str | Type is parameter data type (e.g. int, string, bool, array types) |
description | str | Description is a human-readable parameter description explaining what the parameter controls |
LinuxRelease
Contains Linux distribution identification and version information extracted from /etc/os-release or similar system files.
| Field Name | Type | Description |
|---|---|---|
prettyName | str | PrettyName is a human-readable operating system name with version. |
name | str | Name is the operating system name without version information. |
id | str | ID is the lower-case operating system identifier (e.g., "ubuntu", "rhel"). |
idLike | IDLikes | IDLike is a list of operating system IDs this distribution is similar to or derived from. |
version | str | Version is the operating system version including codename if available. |
versionID | str | VersionID is the operating system version number or identifier. |
versionCodename | str | VersionCodename is the operating system release codename (e.g., "jammy", "bullseye"). |
buildID | str | BuildID is a build identifier for the operating system. |
imageID | str | ImageID is an identifier for container or cloud images. |
imageVersion | str | ImageVersion is the version for container or cloud images. |
variant | str | Variant is the operating system variant name (e.g., "Server", "Workstation"). |
variantID | str | VariantID is the lower-case operating system variant identifier. |
homeURL | str | HomeURL is the homepage URL for the operating system. |
supportURL | str | SupportURL is the support or help URL for the operating system. |
bugReportURL | str | BugReportURL is the bug reporting URL for the operating system. |
privacyPolicyURL | str | PrivacyPolicyURL is the privacy policy URL for the operating system. |
cpeName | str | CPEName is the Common Platform Enumeration name for the operating system. |
supportEnd | str | SupportEnd is the end of support date or version identifier. |
extendedSupport | bool | ExtendedSupport indicates whether extended security or support is available. |
Location
Represents a path relative to a particular filesystem resolved to a specific file.Reference.
| Field Name | Type | Description |
|---|---|---|
path | str | RealPath is the canonical absolute form of the path accessed (all symbolic links have been followed and relative path components like '.' and '..' have been removed). |
layerID | str | FileSystemID is an ID representing and entire filesystem. For container images, this is a layer digest. For directories or a root filesystem, this is blank. |
accessPath | str | AccessPath is the path used to retrieve file contents (which may or may not have hardlinks / symlinks in the path) |
annotations | obj |
Package
Represents a pkg.Package object specialized for JSON marshaling and unmarshalling.
| Field Name | Type |
|---|---|
id | str |
name | str |
version | str |
type | str |
foundBy | str |
locations | Array<Location> |
licenses | licenses |
language | str |
cpes | cpes |
purl | str |
metadataType | str |
metadata | see the Ecosystem Specific Types section |
PnpmLockResolution
Contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification.
| Field Name | Type | Description |
|---|---|---|
integrity | str | Integrity is Subresource Integrity hash for verification (SRI format) |
Relationship
Represents a directed relationship between two artifacts in the SBOM, such as package-contains-file or package-depends-on-package.
| Field Name | Type | Description |
|---|---|---|
parent | str | Parent is the ID of the parent artifact in this relationship. |
child | str | Child is the ID of the child artifact in this relationship. |
type | str | Type is the relationship type (e.g., "contains", "dependency-of", "ancestor-of"). |
metadata | unknown | Metadata contains additional relationship-specific metadata. |
Schema
Specifies the JSON schema version and URL reference that defines the structure and validation rules for this document format.
| Field Name | Type | Description |
|---|---|---|
version | str | Version is the JSON schema version for this document format. |
url | str | URL is the URL to the JSON schema definition document. |
Source
Represents the artifact that was analyzed to generate this SBOM, such as a container image, directory, or file archive.
| Field Name | Type | Description |
|---|---|---|
id | str | ID is a unique identifier for the analyzed source artifact. |
name | str | Name is the name of the analyzed artifact (e.g., image name, directory path). |
version | str | Version is the version of the analyzed artifact (e.g., image tag). |
supplier | str | Supplier is supplier information, which can be user-provided for NTIA minimum elements compliance. |
type | str | Type is the source type (e.g., "image", "directory", "file"). |
metadata | unknown | Metadata contains additional source-specific metadata. |
Ecosystem Specific Types
AlpmDbEntry
Is a struct that represents the package data stored in the pacman flat-file stores for arch linux.
| Field Name | Type | Description |
|---|---|---|
basepackage | str | BasePackage is the base package name this package was built from (source package in Arch build system) |
package | str | Package is the package name as found in the desc file |
version | str | Version is the package version as found in the desc file |
description | str | Description is a human-readable package description |
architecture | str | Architecture is the target CPU architecture as defined in Arch architecture spec (e.g. x86_64, aarch64, or "any" for arch-independent packages) |
size | int | Size is the installed size in bytes |
packager | str | Packager is the name and email of the person who packaged this (RFC822 format) |
url | str | URL is the upstream project URL |
validation | str | Validation is the validation method used for package integrity (e.g. pgp signature, sha256 checksum) |
reason | int | Reason is the installation reason tracked by pacman (0=explicitly installed by user, 1=installed as dependency) |
files | Array<AlpmFileRecord> | Files are the files installed by this package |
backup | Array<AlpmFileRecord> | Backup is the list of configuration files that pacman backs up before upgrades |
provides | Array<str> | Provides are virtual packages provided by this package (allows other packages to depend on capabilities rather than specific packages) |
depends | Array<str> | Depends are the runtime dependencies required by this package |
AlpmFileRecord
Represents a single file entry within an Arch Linux package with its associated metadata tracked by pacman.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
type | str | Type is the file type (e.g. regular file, directory, symlink) |
uid | str | UID is the file owner user ID as recorded by pacman |
gid | str | GID is the file owner group ID as recorded by pacman |
time | str | Time is the file modification timestamp |
size | str | Size is the file size in bytes |
link | str | Link is the symlink target path if this is a symlink |
digest | Array<Digest> | Digests contains file content hashes for integrity verification |
ApkDbEntry
Represents all captured data for the alpine linux package manager flat-file store.
| Field Name | Type | Description |
|---|---|---|
package | str | Package is the package name as found in the installed file |
originPackage | str | OriginPackage is the original source package name this binary was built from (used to track which aport/source built this) |
maintainer | str | Maintainer is the package maintainer name and email |
version | str | Version is the package version as found in the installed file |
architecture | str | Architecture is the target CPU architecture |
url | str | URL is the upstream project URL |
description | str | Description is a human-readable package description |
size | int | Size is the package archive size in bytes (.apk file size) |
installedSize | int | InstalledSize is the total size of installed files in bytes |
pullDependencies | Array<str> | Dependencies are the runtime dependencies required by this package |
provides | Array<str> | Provides are virtual packages provided by this package (for capability-based dependencies) |
pullChecksum | str | Checksum is the package content checksum for integrity verification |
gitCommitOfApkPort | str | GitCommit is the git commit hash of the APK port definition in Alpine's aports repository |
files | Array<ApkFileRecord> | Files are the files installed by this package |
ApkFileRecord
Represents a single file listing and metadata from a APK DB entry (which may have many of these file records).
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
ownerUid | str | OwnerUID is the file owner user ID |
ownerGid | str | OwnerGID is the file owner group ID |
permissions | str | Permissions is the file permission mode string (e.g. "0755", "0644") |
digest | Digest | Digest is the file content hash for integrity verification |
BinarySignature
Represents a set of matched values within a binary file.
| Field Name | Type |
|---|---|
matches | Array<ClassifierMatch> |
BitnamiSbomEntry
Represents all captured data from Bitnami packages described in Bitnami' SPDX files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the Bitnami SPDX file |
arch | str | Architecture is the target CPU architecture (amd64 or arm64 in Bitnami images) |
distro | str | Distro is the distribution name this package is for (base OS like debian, ubuntu, etc.) |
revision | str | Revision is the Bitnami-specific package revision number (incremented for Bitnami rebuilds of same upstream version) |
version | str | Version is the package version as found in the Bitnami SPDX file |
path | str | Path is the installation path in the filesystem where the package is located |
files | Array<str> | Files are the file paths owned by this package (tracked via SPDX relationships) |
CConanFileEntry
ConanfileEntry represents a single "Requires" entry from a conanfile.txt.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
CConanInfoEntry
ConaninfoEntry represents a single "full_requires" entry from a conaninfo.txt.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
package_id | str | PackageID is a unique package variant identifier |
CConanLockEntry
ConanV1LockEntry represents a single "node" entry from a conan.lock V1 file.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
package_id | str | PackageID is a unique package variant identifier computed from settings/options (static hash in Conan 1.x, can have collisions with complex dependency graphs) |
prev | str | Prev is the previous lock entry reference for versioning |
requires | Array<str> | Requires are the runtime package dependencies |
build_requires | Array<str> | BuildRequires are the build-time dependencies (e.g. cmake, compilers) |
py_requires | Array<str> | PythonRequires are the Python dependencies needed for Conan recipes |
options | KeyValues | Options are package configuration options as key-value pairs (e.g. shared=True, fPIC=True) |
path | str | Path is the filesystem path to the package in Conan cache |
context | str | Context is the build context information |
CConanLockV2Entry
ConanV2LockEntry represents a single "node" entry from a conan.lock V2 file.
| Field Name | Type | Description |
|---|---|---|
ref | str | Ref is the package reference string in format name/version@user/channel |
packageID | str | PackageID is a unique package variant identifier (dynamic in Conan 2.0, more accurate than V1) |
username | str | Username is the Conan user/organization name |
channel | str | Channel is the Conan channel name indicating stability/purpose (e.g. stable, testing, experimental) |
recipeRevision | str | RecipeRevision is a git-like revision hash (RREV) of the recipe |
packageRevision | str | PackageRevision is a git-like revision hash of the built binary package |
timestamp | str | TimeStamp is when this package was built/locked |
CocoaPodfileLockEntry
Represents a single entry from the "Pods" section of a Podfile.lock file.
| Field Name | Type | Description |
|---|---|---|
checksum | str | Checksum is the SHA-1 hash of the podspec file for integrity verification (generated via `pod ipc spec ... | openssl sha1`), ensuring all team members use the same pod specification version |
CondaMetadataEntry
CondaMetaPackage represents metadata for a Conda package extracted from the conda-meta/*.json files.
| Field Name | Type | Description |
|---|---|---|
arch | str | Arch is the target CPU architecture for the package (e.g., "arm64", "x86_64"). |
name | str | Name is the package name as found in the conda-meta JSON file. |
version | str | Version is the package version as found in the conda-meta JSON file. |
build | str | Build is the build string identifier (e.g., "h90dfc92_1014"). |
build_number | int | BuildNumber is the sequential build number for this version. |
channel | str | Channel is the Conda channel URL where the package was retrieved from. |
subdir | str | Subdir is the subdirectory within the channel (e.g., "osx-arm64", "linux-64"). |
noarch | str | Noarch indicates if the package is platform-independent (e.g., "python", "generic"). |
license | str | License is the package license identifier. |
license_family | str | LicenseFamily is the general license category (e.g., "MIT", "Apache", "GPL"). |
md5 | str | MD5 is the MD5 hash of the package archive. |
sha256 | str | SHA256 is the SHA-256 hash of the package archive. |
size | int | Size is the package archive size in bytes. |
timestamp | int | Timestamp is the Unix timestamp when the package was built. |
fn | str | Filename is the original package archive filename (e.g., "zlib-1.2.11-h90dfc92_1014.tar.bz2"). |
url | str | URL is the full download URL for the package archive. |
extracted_package_dir | str | ExtractedPackageDir is the local cache directory where the package was extracted. |
depends | Array<str> | Depends is the list of runtime dependencies with version constraints. |
files | Array<str> | Files is the list of files installed by this package. |
paths_data | CondaPathsData | PathsData contains detailed file metadata from the paths.json file. |
link | CondaLink | Link contains installation source metadata from the link.json file. |
CondaLink
Represents link metadata from a Conda package's link.json file describing package installation source.
| Field Name | Type | Description |
|---|---|---|
source | str | Source is the original path where the package was extracted from cache. |
type | int | Type indicates the link type (1 for hard link, 2 for soft link, 3 for copy). |
CondaPathData
Represents metadata for a single file within a Conda package from the paths.json file.
| Field Name | Type | Description |
|---|---|---|
_path | str | Path is the file path relative to the Conda environment root. |
path_type | str | PathType indicates the link type for the file (e.g., "hardlink", "softlink", "directory"). |
sha256 | str | SHA256 is the SHA-256 hash of the file contents. |
sha256_in_prefix | str | SHA256InPrefix is the SHA-256 hash of the file after prefix replacement during installation. |
size_in_bytes | int | SizeInBytes is the file size in bytes. |
CondaPathsData
Represents the paths.json file structure from a Conda package containing file metadata.
| Field Name | Type | Description |
|---|---|---|
paths_version | int | PathsVersion is the schema version of the paths data format. |
paths | Array<CondaPathData> | Paths is the list of file metadata entries for all files in the package. |
DartPubspec
Is a struct that represents a package described in a pubspec.yaml file
| Field Name | Type | Description |
|---|---|---|
homepage | str | Homepage is the package homepage URL |
repository | str | Repository is the source code repository URL |
documentation | str | Documentation is the documentation site URL |
publish_to | str | PublishTo is the package repository to publish to, or "none" to prevent accidental publishing |
environment | DartPubspecEnvironment | Environment is SDK version constraints for Dart and Flutter |
platforms | Array<str> | Platforms are the supported platforms (Android, iOS, web, etc.) |
ignored_advisories | Array<str> | IgnoredAdvisories are the security advisories to explicitly ignore for this package |
DartPubspecEnvironment
Represents SDK version constraints from the environment section of pubspec.yaml.
| Field Name | Type | Description |
|---|---|---|
sdk | str | SDK is the Dart SDK version constraint (e.g. ">=2.12.0 <3.0.0") |
flutter | str | Flutter is the Flutter SDK version constraint if this is a Flutter package |
DartPubspecLockEntry
Is a struct that represents a single entry found in the "packages" section in a Dart pubspec.lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the pubspec.lock file |
version | str | Version is the package version as found in the pubspec.lock file |
hosted_url | str | HostedURL is the URL of the package repository for hosted packages (typically pub.dev, but can be custom repository identified by hosted-url). When PUB_HOSTED_URL environment variable changes, lockfile tracks the source. |
vcs_url | str | VcsURL is the URL of the VCS repository for git/path dependencies (for packages fetched from version control systems like Git) |
DotnetDepsEntry
Is a struct that represents a single entry found in the "libraries" section in a .NET [*.]deps.json file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the deps.json file |
version | str | Version is the package version as found in the deps.json file |
path | str | Path is the relative path to the package within the deps structure (e.g. "app.metrics/3.0.0") |
sha512 | str | Sha512 is the SHA-512 hash of the NuGet package content WITHOUT the signed content for verification (won't match hash from NuGet API or manual calculation of .nupkg file) |
hashPath | str | HashPath is the relative path to the .nupkg.sha512 hash file (e.g. "app.metrics.3.0.0.nupkg.sha512") |
executables | obj | Executables are the map of .NET Portable Executable files within this package with their version resources |
DotnetPackagesLockEntry
Is a struct that represents a single entry found in the "dependencies" section in a .NET packages.lock.json file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the packages.lock.json file |
version | str | Version is the package version as found in the packages.lock.json file |
contentHash | str | ContentHash is the hash of the package content for verification |
type | str | Type is the dependency type indicating how this dependency was added (Direct=explicit in project file, Transitive=pulled in by another package, Project=project reference) |
DotnetPortableExecutableEntry
Is a struct that represents a single entry found within "VersionResources" section of a .NET Portable Executable binary file.
| Field Name | Type | Description |
|---|---|---|
assemblyVersion | str | AssemblyVersion is the .NET assembly version number (strong-named version) |
legalCopyright | str | LegalCopyright is the copyright notice string |
comments | str | Comments are additional comments or description embedded in PE resources |
internalName | str | InternalName is the internal name of the file |
companyName | str | CompanyName is the company that produced the file |
productName | str | ProductName is the name of the product this file is part of |
productVersion | str | ProductVersion is the version of the product (may differ from AssemblyVersion) |
DpkgArchiveEntry
Represents package metadata extracted from a .deb archive file.
| Field Name | Type | Description |
|---|---|---|
package | str | Package is the package name as found in the status file |
source | str | Source is the source package name this binary was built from (one source can produce multiple binary packages) |
version | str | Version is the binary package version as found in the status file |
sourceVersion | str | SourceVersion is the source package version (may differ from binary version when binNMU rebuilds occur) |
architecture | str | Architecture is the target architecture per Debian spec (specific arch like amd64/arm64, wildcard like any, architecture-independent "all", or "source" for source packages) |
maintainer | str | Maintainer is the package maintainer's name and email in RFC822 format (name must come first, then email in angle brackets) |
installedSize | int | InstalledSize is the total size of installed files in kilobytes |
provides | Array<str> | Provides are the virtual packages provided by this package (allows other packages to depend on capabilities. Can include versioned provides like "libdigest-md5-perl (= 2.55.01)") |
depends | Array<str> | Depends are the packages required for this package to function (will not be installed unless these requirements are met, creates strict ordering constraint) |
preDepends | Array<str> | PreDepends are the packages that must be installed and configured BEFORE even starting installation of this package (stronger than Depends, discouraged unless absolutely necessary as it adds strict constraints for apt) |
files | Array<DpkgFileRecord> | Files are the files installed by this package |
DpkgFileRecord
Represents a single file attributed to a debian package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
digest | Digest | Digest is the file content hash (typically MD5 for dpkg compatibility with legacy systems) |
isConfigFile | bool | IsConfigFile is whether this file is marked as a configuration file (dpkg will preserve user modifications during upgrades) |
DpkgDbEntry
Represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section.
| Field Name | Type | Description |
|---|---|---|
package | str | Package is the package name as found in the status file |
source | str | Source is the source package name this binary was built from (one source can produce multiple binary packages) |
version | str | Version is the binary package version as found in the status file |
sourceVersion | str | SourceVersion is the source package version (may differ from binary version when binNMU rebuilds occur) |
architecture | str | Architecture is the target architecture per Debian spec (specific arch like amd64/arm64, wildcard like any, architecture-independent "all", or "source" for source packages) |
maintainer | str | Maintainer is the package maintainer's name and email in RFC822 format (name must come first, then email in angle brackets) |
installedSize | int | InstalledSize is the total size of installed files in kilobytes |
provides | Array<str> | Provides are the virtual packages provided by this package (allows other packages to depend on capabilities. Can include versioned provides like "libdigest-md5-perl (= 2.55.01)") |
depends | Array<str> | Depends are the packages required for this package to function (will not be installed unless these requirements are met, creates strict ordering constraint) |
preDepends | Array<str> | PreDepends are the packages that must be installed and configured BEFORE even starting installation of this package (stronger than Depends, discouraged unless absolutely necessary as it adds strict constraints for apt) |
files | Array<DpkgFileRecord> | Files are the files installed by this package |
DpkgFileRecord
Represents a single file attributed to a debian package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
digest | Digest | Digest is the file content hash (typically MD5 for dpkg compatibility with legacy systems) |
isConfigFile | bool | IsConfigFile is whether this file is marked as a configuration file (dpkg will preserve user modifications during upgrades) |
ElfBinaryPackageNoteJsonPayload
Represents metadata captured from the .note.package section of an ELF-formatted binary
| Field Name | Type | Description |
|---|---|---|
type | str | Type is the type of the package (e.g. "rpm", "deb", "apk", etc.) |
architecture | str | Architecture of the binary package (e.g. "amd64", "arm", etc.) |
osCPE | str | OSCPE is a CPE name for the OS, typically corresponding to CPE_NAME in os-release (e.g. cpe:/o:fedoraproject:fedora:33) |
os | str | OS is the OS name, typically corresponding to ID in os-release (e.g. "fedora") |
osVersion | str | osVersion is the version of the OS, typically corresponding to VERSION_ID in os-release (e.g. "33") |
system | str | System is a context-specific name for the system that the binary package is intended to run on or a part of |
vendor | str | Vendor is the individual or organization that produced the source code for the binary |
sourceRepo | str | SourceRepo is the URL to the source repository for which the binary was built from |
commit | str | Commit is the commit hash of the source repository for which the binary was built from |
ElixirMixLockEntry
Is a struct that represents a single entry in a mix.lock file
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the mix.lock file |
version | str | Version is the package version as found in the mix.lock file |
pkgHash | str | PkgHash is the outer checksum (SHA-256) of the entire Hex package tarball for integrity verification (preferred method, replaces deprecated inner checksum) |
pkgHashExt | str | PkgHashExt is the extended package hash format (inner checksum is deprecated - SHA-256 of concatenated file contents excluding CHECKSUM file, now replaced by outer checksum) |
ErlangRebarLockEntry
Represents a single package entry from the "deps" section within an Erlang rebar.lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the rebar.lock file |
version | str | Version is the package version as found in the rebar.lock file |
pkgHash | str | PkgHash is the outer checksum (SHA-256) of the entire Hex package tarball for integrity verification (preferred method over deprecated inner checksum) |
pkgHashExt | str | PkgHashExt is the extended package hash format (inner checksum deprecated - was SHA-256 of concatenated file contents) |
GgufFileHeader
Represents metadata extracted from a GGUF (GPT-Generated Unified Format) model file.
| Field Name | Type | Description |
|---|---|---|
ggufVersion | int | GGUFVersion is the GGUF format version (e.g., 3) |
fileSize | int | FileSize is the size of the GGUF file in bytes (best-effort if available from resolver) |
architecture | str | Architecture is the model architecture (from general.architecture, e.g., "qwen3moe", "llama") |
quantization | str | Quantization is the quantization type (e.g., "IQ4_NL", "Q4_K_M") |
parameters | int | Parameters is the number of model parameters (if present in header) |
tensorCount | int | TensorCount is the number of tensors in the model |
header | obj | RemainingKeyValues contains the remaining key-value pairs from the GGUF header that are not already represented as typed fields above. This preserves additional metadata fields for reference (namespaced with general.*, llama.*, etc.) while avoiding duplication. |
metadataHash | str | MetadataKeyValuesHash is a xx64 hash of all key-value pairs from the GGUF header metadata. This hash is computed over the complete header metadata (including the fields extracted into typed fields above) and provides a stable identifier for the model configuration across different file locations or remotes. It allows matching identical models even when stored in different repositories or with different filenames. |
GithubActionsUseStatement
Represents a single 'uses' statement in a GitHub Actions workflow file referencing an action or reusable workflow.
| Field Name | Type | Description |
|---|---|---|
value | str | Value is the action reference (e.g. "actions/checkout@v3") |
comment | str | Comment is the inline comment associated with this uses statement |
GoModuleBuildinfoEntry
GolangBinaryBuildinfoEntry represents all captured data for a Golang binary
| Field Name | Type | Description |
|---|---|---|
goBuildSettings | KeyValues | BuildSettings contains the Go build settings and flags used to compile the binary (e.g., GOARCH, GOOS, CGO_ENABLED). |
goCompiledVersion | str | GoCompiledVersion is the version of Go used to compile the binary. |
architecture | str | Architecture is the target CPU architecture for the binary (extracted from GOARCH build setting). |
h1Digest | str | H1Digest is the Go module hash in h1: format for the main module from go.sum. |
mainModule | str | MainModule is the main module path for the binary (e.g., "github.com/anchore/syft"). |
goCryptoSettings | Array<str> | GoCryptoSettings contains FIPS and cryptographic configuration settings if present. |
goExperiments | Array<str> | GoExperiments lists experimental Go features enabled during compilation (e.g., "arenas", "cgocheck2"). |
GoModuleEntry
GolangModuleEntry represents all captured data for a Golang source scan with go.mod/go.sum
| Field Name | Type | Description |
|---|---|---|
h1Digest | str | H1Digest is the Go module hash in h1: format from go.sum for verifying module contents. |
GoSourceEntry
GolangSourceEntry represents all captured data for a Golang package found through source analysis
| Field Name | Type | Description |
|---|---|---|
h1Digest | str | H1Digest is the Go module hash in h1: format from go.sum for verifying module contents. |
os | str | OperatingSystem is the target OS for build constraints (e.g., "linux", "darwin", "windows"). |
architecture | str | Architecture is the target CPU architecture for build constraints (e.g., "amd64", "arm64"). |
buildTags | str | BuildTags are the build tags used to conditionally compile code (e.g., "integration,debug"). |
cgoEnabled | bool | CgoEnabled indicates whether CGO was enabled for this package. |
HaskellHackageStackEntry
HackageStackYamlEntry represents a single entry from the "extra-deps" section of a stack.yaml file.
| Field Name | Type | Description |
|---|---|---|
pkgHash | str | PkgHash is the package content hash for verification |
HaskellHackageStackLockEntry
HackageStackYamlLockEntry represents a single entry from the "packages" section of a stack.yaml.lock file.
| Field Name | Type | Description |
|---|---|---|
pkgHash | str | PkgHash is the package content hash for verification |
snapshotURL | str | SnapshotURL is the URL to the Stack snapshot this package came from |
HomebrewFormula
Represents metadata about a Homebrew formula package extracted from formula JSON files.
| Field Name | Type | Description |
|---|---|---|
tap | str | Tap is Homebrew tap this formula belongs to (e.g. "homebrew/core") |
homepage | str | Homepage is the upstream project homepage URL |
description | str | Description is a human-readable formula description |
JavaArchive
Encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.
| Field Name | Type | Description |
|---|---|---|
virtualPath | str | VirtualPath is path within the archive hierarchy, where nested entries are delimited with ':' (for nested JARs) |
manifest | JavaManifest | Manifest is parsed META-INF/MANIFEST.MF contents |
pomProperties | JavaPomProperties | PomProperties is parsed pom.properties file contents |
pomProject | JavaPomProject | PomProject is parsed pom.xml file contents |
digest | Array<Digest> | ArchiveDigests is cryptographic hashes of the archive file |
JavaManifest
Represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.
| Field Name | Type | Description |
|---|---|---|
main | KeyValues | Main is main manifest attributes as key-value pairs |
sections | Array<KeyValues> | Sections are the named sections from the manifest (e.g. per-entry attributes) |
JavaPomParent
Contains the fields within the
| Field Name | Type | Description |
|---|---|---|
groupId | str | GroupID is the parent Maven group identifier |
artifactId | str | ArtifactID is the parent Maven artifact identifier |
version | str | Version is the parent version (child inherits configuration from this specific version of parent POM) |
JavaPomProject
Represents fields of interest extracted from a Java archive's pom.xml file.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the pom.xml file within the archive |
parent | JavaPomParent | Parent is the parent POM reference for inheritance (child POMs inherit configuration from parent) |
groupId | str | GroupID is Maven group identifier (reversed domain name like org.apache.maven) |
artifactId | str | ArtifactID is Maven artifact identifier (project name) |
version | str | Version is project version (together with groupId and artifactId forms Maven coordinates groupId:artifactId:version) |
name | str | Name is a human-readable project name (displayed in Maven-generated documentation) |
description | str | Description is detailed project description |
url | str | URL is the project URL (typically project website or repository) |
JavaPomProperties
Represents the fields of interest extracted from a Java archive's pom.properties file.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the pom.properties file within the archive |
name | str | Name is the project name |
groupId | str | GroupID is Maven group identifier uniquely identifying the project across all projects (follows reversed domain name convention like com.company.project) |
artifactId | str | ArtifactID is Maven artifact identifier, the name of the jar/artifact (unique within the groupId scope) |
version | str | Version is artifact version |
scope | str | Scope is dependency scope determining when dependency is available (compile=default all phases, test=test compilation/execution only, runtime=runtime and test not compile, provided=expected from JDK or container) |
extraFields | obj | Extra is additional custom properties not in standard Maven coordinates |
JavaJvmInstallation
JavaVMInstallation represents a Java Virtual Machine installation discovered on the system with its release information and file list.
| Field Name | Type | Description |
|---|---|---|
release | JavaVMRelease | Release is JVM release information and version details |
files | Array<str> | Files are the list of files that are part of this JVM installation |
JavaVMRelease
Represents JVM version and build information extracted from the release file in a Java installation.
| Field Name | Type | Description |
|---|---|---|
implementor | str | Implementor is extracted with the `java.vendor` JVM property |
implementorVersion | str | ImplementorVersion is extracted with the `java.vendor.version` JVM property |
javaRuntimeVersion | str | JavaRuntimeVersion is extracted from the 'java.runtime.version' JVM property |
javaVersion | str | JavaVersion matches that from `java -version` command output |
javaVersionDate | str | JavaVersionDate is extracted from the 'java.version.date' JVM property |
libc | str | Libc can either be 'glibc' or 'musl' |
modules | Array<str> | Modules is a list of JVM modules that are packaged |
osArch | str | OsArch is the target CPU architecture |
osName | str | OsName is the name of the target runtime operating system environment |
osVersion | str | OsVersion is the version of the target runtime operating system environment |
source | str | Source refers to the origin repository of OpenJDK source |
buildSource | str | BuildSource Git SHA of the build repository |
buildSourceRepo | str | BuildSourceRepo refers to rhe repository URL for the build source |
sourceRepo | str | SourceRepo refers to the OpenJDK repository URL |
fullVersion | str | FullVersion is extracted from the 'java.runtime.version' JVM property |
semanticVersion | str | SemanticVersion is derived from the OpenJDK version |
buildInfo | str | BuildInfo contains additional build information |
jvmVariant | str | JvmVariant specifies the JVM variant (e.g., Hotspot or OpenJ9) |
jvmVersion | str | JvmVersion is extracted from the 'java.vm.version' JVM property |
imageType | str | ImageType can be 'JDK' or 'JRE' |
buildType | str | BuildType can be 'commercial' (used in some older oracle JDK distributions) |
JavascriptNpmPackage
NpmPackage represents the contents of a javascript package.json file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in package.json |
version | str | Version is the package version as found in package.json |
author | str | Author is package author name |
homepage | str | Homepage is project homepage URL |
description | str | Description is a human-readable package description |
url | str | URL is repository or project URL |
private | bool | Private is whether this is a private package |
JavascriptNpmPackageLockEntry
NpmPackageLockEntry represents a single entry within the "packages" section of a package-lock.json file.
| Field Name | Type | Description |
|---|---|---|
resolved | str | Resolved is URL where this package was downloaded from (registry source) |
integrity | str | Integrity is Subresource Integrity hash for verification using standard SRI format (sha512-... or sha1-...). npm changed from SHA-1 to SHA-512 in newer versions. For registry sources this is the integrity from registry, for remote tarballs it's SHA-512 of the file. npm verifies tarball matches this hash before unpacking, throwing EINTEGRITY error if mismatch detected. |
dependencies | obj | Dependencies is a map of dependencies and their version markers, i.e. "lodash": "^1.0.0" |
JavascriptPnpmLockEntry
PnpmLockEntry represents a single entry in the "packages" section of a pnpm-lock.yaml file.
| Field Name | Type | Description |
|---|---|---|
resolution | PnpmLockResolution | Resolution is the resolution information for the package |
dependencies | obj | Dependencies is a map of dependencies and their versions |
JavascriptYarnLockEntry
YarnLockEntry represents a single entry section of a yarn.lock file.
| Field Name | Type | Description |
|---|---|---|
resolved | str | Resolved is URL where this package was downloaded from |
integrity | str | Integrity is Subresource Integrity hash for verification (SRI format) |
dependencies | obj | Dependencies is a map of dependencies and their versions |
LinuxKernelArchive
LinuxKernel represents all captured data for a Linux kernel
| Field Name | Type | Description |
|---|---|---|
name | str | Name is kernel name (typically "Linux") |
architecture | str | Architecture is the target CPU architecture |
version | str | Version is kernel version string |
extendedVersion | str | ExtendedVersion is additional version information |
buildTime | str | BuildTime is when the kernel was built |
author | str | Author is who built the kernel |
format | str | Format is kernel image format (e.g. bzImage, zImage) |
rwRootFS | bool | RWRootFS is whether root filesystem is mounted read-write |
swapDevice | int | SwapDevice is swap device number |
rootDevice | int | RootDevice is root device number |
videoMode | str | VideoMode is default video mode setting |
LinuxKernelModule
Represents a loadable kernel module (.ko file) with its metadata, parameters, and dependencies.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is module name |
version | str | Version is module version string |
sourceVersion | str | SourceVersion is the source code version identifier |
path | str | Path is the filesystem path to the .ko kernel object file (absolute path) |
description | str | Description is a human-readable module description |
author | str | Author is module author name and email |
license | str | License is module license (e.g. GPL, BSD) which must be compatible with kernel |
kernelVersion | str | KernelVersion is kernel version this module was built for |
versionMagic | str | VersionMagic is version magic string for compatibility checking (includes kernel version, SMP status, module loading capabilities like "3.17.4-302.fc21.x86_64 SMP mod_unload modversions"). Module will NOT load if vermagic doesn't match running kernel. |
parameters | obj | Parameters are the module parameters that can be configured at load time (user-settable values like module options) |
LuarocksPackage
Represents a Lua package managed by the LuaRocks package manager with metadata from .rockspec files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the .rockspec file |
version | str | Version is the package version as found in the .rockspec file |
license | str | License is license identifier |
homepage | str | Homepage is project homepage URL |
description | str | Description is a human-readable package description |
url | str | URL is the source download URL |
dependencies | obj | Dependencies are the map of dependency names to version constraints |
NixStoreEntry
Represents a package in the Nix store (/nix/store) with its derivation information and metadata.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is full store path for this output (e.g. /nix/store/abc123...-package-1.0) |
output | str | Output is the specific output name for multi-output packages (empty string for default "out" output, can be "bin", "dev", "doc", etc.) |
outputHash | str | OutputHash is hash prefix of the store path basename (first part before the dash) |
derivation | NixDerivation | Derivation is information about the .drv file that describes how this package was built |
files | Array<str> | Files are the list of files under the nix/store path for this package |
NixDerivation
Represents a Nix .drv file that describes how to build a package including inputs, outputs, and build instructions.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the .drv file in Nix store |
system | str | System is target system string indicating where derivation can be built (e.g. "x86_64-linux", "aarch64-darwin"). Must match current system for local builds. |
inputDerivations | Array<NixDerivationReference> | InputDerivations are the list of other derivations that were inputs to this build (dependencies) |
inputSources | Array<str> | InputSources are the list of source file paths that were inputs to this build |
NixDerivationReference
Represents a reference to another derivation used as a build input or runtime dependency.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is path to the referenced .drv file |
outputs | Array<str> | Outputs are which outputs of the referenced derivation were used (e.g. ["out"], ["bin", "dev"]) |
OpamPackage
Represents an OCaml package managed by the OPAM package manager with metadata from .opam files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the .opam file |
version | str | Version is the package version as found in the .opam file |
licenses | Array<str> | Licenses are the list of applicable licenses |
url | str | URL is download URL for the package source |
checksum | Array<str> | Checksums are the list of checksums for verification |
homepage | str | Homepage is project homepage URL |
dependencies | Array<str> | Dependencies are the list of required dependencies |
PeBinary
Represents metadata captured from a Portable Executable formatted binary (dll, exe, etc.)
| Field Name | Type | Description |
|---|---|---|
VersionResources | KeyValues | VersionResources contains key-value pairs extracted from the PE file's version resource section (e.g., FileVersion, ProductName, CompanyName). |
PhpComposerInstalledEntry
Represents a single package entry from a composer v1/v2 "installed.json" files (very similar to composer.lock files).
| Field Name | Type | Description |
|---|---|---|
name | str | Name is package name in vendor/package format (e.g. symfony/console) |
version | str | Version is the package version |
source | PhpComposerExternalReference | Source is the source repository information for development (typically git repo, used when passing --prefer-source). Originates from source code repository. |
dist | PhpComposerExternalReference | Dist is distribution archive information for production (typically zip/tar, default install method). Packaged version of released code. |
require | obj | Require is runtime dependencies with version constraints (package will not install unless these requirements can be met) |
provide | obj | Provide is virtual packages/functionality provided by this package (allows other packages to depend on capabilities) |
require-dev | obj | RequireDev is development-only dependencies (not installed in production, only when developing this package or running tests) |
suggest | obj | Suggest is optional but recommended dependencies (suggestions for packages that would extend functionality) |
license | Array<str> | License is the list of license identifiers (SPDX format) |
type | str | Type is package type indicating purpose (library=reusable code, project=application, metapackage=aggregates dependencies, etc.) |
notification-url | str | NotificationURL is the URL to notify when package is installed (for tracking/statistics) |
bin | Array<str> | Bin is the list of binary/executable files that should be added to PATH |
authors | Array<PhpComposerAuthors> | Authors are the list of package authors with name/email/homepage |
description | str | Description is a human-readable package description |
homepage | str | Homepage is project homepage URL |
keywords | Array<str> | Keywords are the list of keywords for package discovery/search |
time | str | Time is timestamp when this package version was released |
PhpComposerAuthors
Represents author information for a PHP Composer package from the authors field in composer.json.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is author's full name |
email | str | Email is author's email address |
homepage | str | Homepage is author's personal or company website |
PhpComposerExternalReference
Represents source or distribution information for a PHP package, indicating where the package code is retrieved from.
| Field Name | Type | Description |
|---|---|---|
type | str | Type is reference type (git for source VCS, zip/tar for dist archives) |
url | str | URL is the URL to the resource (git repository URL or archive download URL) |
reference | str | Reference is git commit hash or version tag for source, or archive version for dist |
shasum | str | Shasum is SHA hash of the archive file for integrity verification (dist only) |
PhpComposerLockEntry
Represents a single package entry found from a composer.lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is package name in vendor/package format (e.g. symfony/console) |
version | str | Version is the package version |
source | PhpComposerExternalReference | Source is the source repository information for development (typically git repo, used when passing --prefer-source). Originates from source code repository. |
dist | PhpComposerExternalReference | Dist is distribution archive information for production (typically zip/tar, default install method). Packaged version of released code. |
require | obj | Require is runtime dependencies with version constraints (package will not install unless these requirements can be met) |
provide | obj | Provide is virtual packages/functionality provided by this package (allows other packages to depend on capabilities) |
require-dev | obj | RequireDev is development-only dependencies (not installed in production, only when developing this package or running tests) |
suggest | obj | Suggest is optional but recommended dependencies (suggestions for packages that would extend functionality) |
license | Array<str> | License is the list of license identifiers (SPDX format) |
type | str | Type is package type indicating purpose (library=reusable code, project=application, metapackage=aggregates dependencies, etc.) |
notification-url | str | NotificationURL is the URL to notify when package is installed (for tracking/statistics) |
bin | Array<str> | Bin is the list of binary/executable files that should be added to PATH |
authors | Array<PhpComposerAuthors> | Authors are the list of package authors with name/email/homepage |
description | str | Description is a human-readable package description |
homepage | str | Homepage is project homepage URL |
keywords | Array<str> | Keywords are the list of keywords for package discovery/search |
time | str | Time is timestamp when this package version was released |
PhpComposerAuthors
Represents author information for a PHP Composer package from the authors field in composer.json.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is author's full name |
email | str | Email is author's email address |
homepage | str | Homepage is author's personal or company website |
PhpComposerExternalReference
Represents source or distribution information for a PHP package, indicating where the package code is retrieved from.
| Field Name | Type | Description |
|---|---|---|
type | str | Type is reference type (git for source VCS, zip/tar for dist archives) |
url | str | URL is the URL to the resource (git repository URL or archive download URL) |
reference | str | Reference is git commit hash or version tag for source, or archive version for dist |
shasum | str | Shasum is SHA hash of the archive file for integrity verification (dist only) |
PhpPearEntry
Represents a single package entry found within php pear metadata files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name |
channel | str | Channel is PEAR channel this package is from |
version | str | Version is the package version |
license | Array<str> | License is the list of applicable licenses |
PhpPeclEntry
Represents a single package entry found within php pecl metadata files.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name |
channel | str | Channel is PEAR channel this package is from |
version | str | Version is the package version |
license | Array<str> | License is the list of applicable licenses |
PortageDbEntry
PortageEntry represents a single package entry in the portage DB flat-file store.
| Field Name | Type | Description |
|---|---|---|
installedSize | int | InstalledSize is total size of installed files in bytes |
licenses | str | Licenses is license string which may be an expression (e.g. "GPL-2 OR Apache-2.0") |
files | Array<PortageFileRecord> | Files are the files installed by this package (tracked in CONTENTS file) |
PortageFileRecord
Represents a single file attributed to a portage package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the file path relative to the filesystem root |
digest | Digest | Digest is file content hash (MD5 for regular files in CONTENTS format: "obj filename md5hash mtime") |
PythonPackage
Represents all captured data for a python egg or wheel package (specifically as outlined in the PyPA core metadata specification https://packaging.python.org/en/latest/specifications/core-metadata/).
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name from the Name field in PKG-INFO or METADATA. |
version | str | Version is the package version from the Version field in PKG-INFO or METADATA. |
author | str | Author is the package author name from the Author field. |
authorEmail | str | AuthorEmail is the package author's email address from the Author-Email field. |
platform | str | Platform indicates the target platform for the package (e.g., "any", "linux", "win32"). |
files | Array<PythonFileRecord> | Files are the installed files listed in the RECORD file for wheels or installed-files.txt for eggs. |
sitePackagesRootPath | str | SitePackagesRootPath is the root directory path containing the package (e.g., "/usr/lib/python3.9/site-packages"). |
topLevelPackages | Array<str> | TopLevelPackages are the top-level Python module names from top_level.txt file. |
directUrlOrigin | PythonDirectURLOriginInfo | DirectURLOrigin contains VCS or direct URL installation information from direct_url.json. |
requiresPython | str | RequiresPython specifies the Python version requirement (e.g., ">=3.6"). |
requiresDist | Array<str> | RequiresDist lists the package dependencies with version specifiers from Requires-Dist fields. |
providesExtra | Array<str> | ProvidesExtra lists optional feature names that can be installed via extras (e.g., "dev", "test"). |
PythonDirectURLOriginInfo
Represents installation source metadata from direct_url.json for packages installed from VCS or direct URLs.
| Field Name | Type | Description |
|---|---|---|
url | str | URL is the source URL from which the package was installed. |
commitId | str | CommitID is the VCS commit hash if installed from version control. |
vcs | str | VCS is the version control system type (e.g., "git", "hg"). |
PythonFileDigest
Represents the file metadata for a single file attributed to a python package.
| Field Name | Type | Description |
|---|---|---|
algorithm | str | Algorithm is the hash algorithm used (e.g., "sha256"). |
value | str | Value is the hex-encoded hash digest value. |
PythonFileRecord
Represents a single entry within a RECORD file for a python wheel or egg package
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the installed file path from the RECORD file. |
digest | PythonFileDigest | Digest contains the hash algorithm and value for file integrity verification. |
size | str | Size is the file size in bytes as a string. |
PythonPdmLockEntry
Represents a single package entry within a pdm.lock file.
| Field Name | Type | Description |
|---|---|---|
summary | str | Summary provides a description of the package |
files | Array<PythonPdmFileEntry> | Files are the package files with their paths and hash digests (for the base package without extras) |
marker | str | Marker is the "environment" --conditional expressions that determine whether a package should be installed based on the runtime environment |
requiresPython | str | RequiresPython specifies the Python version requirement (e.g., ">=3.6"). |
dependencies | Array<str> | Dependencies are the dependency specifications for the base package (without extras) |
extras | Array<PythonPdmLockExtraVariant> | Extras contains variants for different extras combinations (PDM may have multiple entries per package) |
PythonFileDigest
Represents the file metadata for a single file attributed to a python package.
| Field Name | Type | Description |
|---|---|---|
algorithm | str | Algorithm is the hash algorithm used (e.g., "sha256"). |
value | str | Value is the hex-encoded hash digest value. |
PythonPdmFileEntry
| Field Name | Type | Description |
|---|---|---|
url | str | URL is the file download URL |
digest | PythonFileDigest | Digest is the hash digest of the file hosted at the URL |
PythonPdmLockExtraVariant
Represents a specific extras combination variant within a PDM lock file.
| Field Name | Type | Description |
|---|---|---|
extras | Array<str> | Extras are the optional extras enabled for this variant (e.g., ["toml"], ["dev"], or ["toml", "dev"]) |
dependencies | Array<str> | Dependencies are the dependencies specific to this extras variant |
files | Array<PythonPdmFileEntry> | Files are the package files specific to this variant (only populated if different from base) |
marker | str | Marker is the environment conditional expression for this variant (e.g., "python_version < \"3.11\"") |
PythonPipRequirementsEntry
PythonRequirementsEntry represents a single entry within a [*-]requirements.txt file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name from the requirements file. |
extras | Array<str> | Extras are the optional features to install from the package (e.g., package[dev,test]). |
versionConstraint | str | VersionConstraint specifies version requirements (e.g., ">=1.0,<2.0"). |
url | str | URL is the direct download URL or VCS URL if specified instead of a PyPI package. |
markers | str | Markers are environment marker expressions for conditional installation (e.g., "python_version >= '3.8'"). |
PythonPipfileLockEntry
Represents a single package entry within a Pipfile.lock file.
| Field Name | Type | Description |
|---|---|---|
hashes | Array<str> | Hashes are the package file hash values in the format "algorithm:digest" for integrity verification. |
index | str | Index is the PyPI index name where the package should be fetched from. |
PythonPoetryLockEntry
Represents a single package entry within a Pipfile.lock file.
| Field Name | Type | Description |
|---|---|---|
index | str | Index is the package repository name where the package should be fetched from. |
dependencies | Array<PythonPoetryLockDependencyEntry> | Dependencies are the package's runtime dependencies with version constraints. |
extras | Array<PythonPoetryLockExtraEntry> | Extras are optional feature groups that include additional dependencies. |
PythonPoetryLockDependencyEntry
Represents a single dependency entry within a Poetry lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the dependency package name. |
version | str | Version is the locked version or version constraint for the dependency. |
optional | bool | Optional indicates whether this dependency is optional (only needed for certain extras). |
markers | str | Markers are environment marker expressions that conditionally enable the dependency (e.g., "python_version >= '3.8'"). |
extras | Array<str> | Extras are the optional feature names from the dependency that should be installed. |
PythonPoetryLockExtraEntry
Represents an optional feature group in a Poetry lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the optional feature name (e.g., "dev", "test"). |
dependencies | Array<str> | Dependencies are the package names required when this extra is installed. |
PythonUvLockEntry
Represents a single package entry within a uv.lock file.
| Field Name | Type | Description |
|---|---|---|
index | str | Index is the package repository name where the package should be fetched from. |
dependencies | Array<PythonUvLockDependencyEntry> | Dependencies are the package's runtime dependencies with version constraints. |
extras | Array<PythonUvLockExtraEntry> | Extras are optional feature groups that include additional dependencies. |
PythonUvLockDependencyEntry
Represents a single dependency entry within a uv lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the dependency package name. |
optional | bool | Optional indicates whether this dependency is optional (only needed for certain extras). |
markers | str | Markers are environment marker expressions that conditionally enable the dependency (e.g., "python_version >= '3.8'"). |
extras | Array<str> | Extras are the optional feature names from the dependency that should be installed. |
PythonUvLockExtraEntry
Represents an optional feature group in a uv lock file.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the optional feature name (e.g., "dev", "test"). |
dependencies | Array<str> | Dependencies are the package names required when this extra is installed. |
RDescription
Represents metadata from an R package DESCRIPTION file containing package information, dependencies, and author details.
| Field Name | Type | Description |
|---|---|---|
title | str | Title is short one-line package title |
description | str | Description is detailed package description |
author | str | Author is package author(s) |
maintainer | str | Maintainer is current package maintainer |
url | Array<str> | URL is the list of related URLs |
repository | str | Repository is CRAN or other repository name |
built | str | Built is R version and platform this was built with |
needsCompilation | bool | NeedsCompilation is whether this package requires compilation |
imports | Array<str> | Imports are the packages imported in the NAMESPACE |
depends | Array<str> | Depends are the packages this package depends on |
suggests | Array<str> | Suggests are the optional packages that extend functionality |
RpmArchive
Represents package metadata extracted directly from a .rpm archive file, containing the same information as an RPM database entry.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the RPM package name as found in the RPM database. |
version | str | Version is the upstream version of the package. |
epoch | int | null | |
architecture | str | Arch is the target CPU architecture (e.g., "x86_64", "aarch64", "noarch"). |
release | str | Release is the package release number or distribution-specific version suffix. |
sourceRpm | str | SourceRpm is the source RPM filename that was used to build this package. |
signatures | Array<RpmSignature> | Signatures contains GPG signature metadata for package verification. |
size | int | Size is the total installed size of the package in bytes. |
vendor | str | Vendor is the organization that packaged the software. |
modularityLabel | str | ModularityLabel identifies the module stream for modular RPM packages (e.g., "nodejs:12:20200101"). |
provides | Array<str> | Provides lists the virtual packages and capabilities this package provides. |
requires | Array<str> | Requires lists the dependencies required by this package. |
files | Array<RpmFileRecord> | Files are the file records for all files owned by this package. |
RpmFileRecord
Represents the file metadata for a single file attributed to a RPM package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the absolute file path where the file is installed. |
mode | int | Mode is the file permission mode bits following Unix stat.h conventions. |
size | int | Size is the file size in bytes. |
digest | Digest | Digest contains the hash algorithm and value for file integrity verification. |
userName | str | UserName is the owner username for the file. |
groupName | str | GroupName is the group name for the file. |
flags | str | Flags indicates the file type (e.g., "%config", "%doc", "%ghost"). |
RpmSignature
Represents a GPG signature for an RPM package used for authenticity verification.
| Field Name | Type | Description |
|---|---|---|
algo | str | PublicKeyAlgorithm is the public key algorithm used for signing (e.g., "RSA"). |
hash | str | HashAlgorithm is the hash algorithm used for the signature (e.g., "SHA256"). |
created | str | Created is the timestamp when the signature was created. |
issuer | str | IssuerKeyID is the GPG key ID that created the signature. |
RpmDbEntry
Represents all captured data from a RPM DB package entry.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the RPM package name as found in the RPM database. |
version | str | Version is the upstream version of the package. |
epoch | int | null | |
architecture | str | Arch is the target CPU architecture (e.g., "x86_64", "aarch64", "noarch"). |
release | str | Release is the package release number or distribution-specific version suffix. |
sourceRpm | str | SourceRpm is the source RPM filename that was used to build this package. |
signatures | Array<RpmSignature> | Signatures contains GPG signature metadata for package verification. |
size | int | Size is the total installed size of the package in bytes. |
vendor | str | Vendor is the organization that packaged the software. |
modularityLabel | str | ModularityLabel identifies the module stream for modular RPM packages (e.g., "nodejs:12:20200101"). |
provides | Array<str> | Provides lists the virtual packages and capabilities this package provides. |
requires | Array<str> | Requires lists the dependencies required by this package. |
files | Array<RpmFileRecord> | Files are the file records for all files owned by this package. |
RpmFileRecord
Represents the file metadata for a single file attributed to a RPM package.
| Field Name | Type | Description |
|---|---|---|
path | str | Path is the absolute file path where the file is installed. |
mode | int | Mode is the file permission mode bits following Unix stat.h conventions. |
size | int | Size is the file size in bytes. |
digest | Digest | Digest contains the hash algorithm and value for file integrity verification. |
userName | str | UserName is the owner username for the file. |
groupName | str | GroupName is the group name for the file. |
flags | str | Flags indicates the file type (e.g., "%config", "%doc", "%ghost"). |
RpmSignature
Represents a GPG signature for an RPM package used for authenticity verification.
| Field Name | Type | Description |
|---|---|---|
algo | str | PublicKeyAlgorithm is the public key algorithm used for signing (e.g., "RSA"). |
hash | str | HashAlgorithm is the hash algorithm used for the signature (e.g., "SHA256"). |
created | str | Created is the timestamp when the signature was created. |
issuer | str | IssuerKeyID is the GPG key ID that created the signature. |
RubyGemspec
Represents all metadata parsed from the *.gemspec file
| Field Name | Type | Description |
|---|---|---|
name | str | Name is gem name as specified in the gemspec |
version | str | Version is gem version as specified in the gemspec |
files | Array<str> | Files is logical list of files in the gem (NOT directly usable as filesystem paths. Example: bundler gem lists "lib/bundler/vendor/uri/lib/uri/ldap.rb" but actual path is "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb". Would need gem installation path, ruby version, and env vars like GEM_HOME to resolve actual paths.) |
authors | Array<str> | Authors are the list of gem authors (stored as array regardless of using `author` or `authors` method in gemspec) |
homepage | str | Homepage is project homepage URL |
RustCargoAuditEntry
RustBinaryAuditEntry represents Rust crate metadata extracted from a compiled binary using cargo-auditable format.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is crate name as specified in audit section of the build binary |
version | str | Version is crate version as specified in audit section of the build binary |
source | str | Source is the source registry or repository where this crate came from |
RustCargoLockEntry
Represents a locked dependency from a Cargo.lock file with precise version and checksum information.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is crate name as specified in Cargo.toml |
version | str | Version is crate version as specified in Cargo.toml |
source | str | Source is the source registry or repository URL in format "registry+https://github.com/rust-lang/crates.io-index" for registry packages |
checksum | str | Checksum is content checksum for registry packages only (hexadecimal string). Cargo doesn't require or include checksums for git dependencies. Used to detect MITM attacks by verifying downloaded crate matches lockfile checksum. |
dependencies | Array<str> | Dependencies are the list of dependencies with version constraints |
SnapEntry
Represents metadata for a Snap package extracted from snap.yaml or snapcraft.yaml files.
| Field Name | Type | Description |
|---|---|---|
snapType | str | SnapType indicates the snap type (base, kernel, app, gadget, or snapd). |
base | str | Base is the base snap name that this snap depends on (e.g., "core20", "core22"). |
snapName | str | SnapName is the snap package name. |
snapVersion | str | SnapVersion is the snap package version. |
architecture | str | Architecture is the target CPU architecture (e.g., "amd64", "arm64"). |
SwiftPackageManagerLockEntry
SwiftPackageManagerResolvedEntry represents a resolved dependency from a Package.resolved file with its locked version and source location.
| Field Name | Type | Description |
|---|---|---|
revision | str | Revision is git commit hash of the resolved package |
SwiplpackPackage
SwiplPackEntry represents a SWI-Prolog package from the pack system with metadata about the package and its dependencies.
| Field Name | Type | Description |
|---|---|---|
name | str | Name is the package name as found in the .toml file |
version | str | Version is the package version as found in the .toml file |
author | str | Author is author name |
authorEmail | str | AuthorEmail is author email address |
packager | str | Packager is packager name (if different from author) |
packagerEmail | str | PackagerEmail is packager email address |
homepage | str | Homepage is project homepage URL |
dependencies | Array<str> | Dependencies are the list of required dependencies |
TerraformLockProviderEntry
Represents a single provider entry in a Terraform dependency lock file (.terraform.lock.hcl).
| Field Name | Type | Description |
|---|---|---|
url | str | URL is the provider source address (e.g., "registry.terraform.io/hashicorp/aws"). |
constraints | str | Constraints specifies the version constraints for the provider (e.g., "~> 4.0"). |
version | str | Version is the locked provider version selected during terraform init. |
hashes | Array<str> | Hashes are cryptographic checksums for the provider plugin archives across different platforms. |
WordpressPluginEntry
Represents all metadata parsed from the wordpress plugin file
| Field Name | Type | Description |
|---|---|---|
pluginInstallDirectory | str | PluginInstallDirectory is directory name where the plugin is installed |
author | str | Author is plugin author name |
authorUri | str | AuthorURI is author's website URL |
4 - Grype Command Line Reference
Note
This documentation was generated with Grype version0.104.0.A vulnerability scanner for container images, filesystems, and SBOMs.
Supports the following image sources:
grype yourrepo/yourimage:tag defaults to using images from a Docker daemon
grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon
grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon
grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)
grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
grype dir:path/to/yourproject read directly from a path on disk (any directory)
grype file:path/to/yourfile read directly from a file on disk
grype sbom:path/to/syft.json read Syft JSON from path on disk
grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
grype purl:path/to/purl/file read a newline separated file of package URLs from a path on disk
grype PURL read a single package PURL directly (e.g. pkg:apk/openssl@3.2.1?distro=alpine-3.20.3)
grype CPE read a single CPE directly (e.g. cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*)
You can also pipe in Syft JSON directly:
syft yourimage:tag -o json | grype
Usage:
grype [IMAGE] [flags]
grype [command]
Available Commands:
completion Generate a shell completion for Grype (listing local docker images)
config show the grype configuration
db vulnerability database operations
explain Ask grype to explain a set of findings
help Help about any command
version show version information
Flags:
--add-cpes-if-none generate CPEs for packages with no CPE data
--by-cve orient results by CVE instead of the original vulnerability ID when possible
-c, --config stringArray grype configuration file(s) to use
--distro string distro to match against in the format: <distro>[-:@]<version>
--exclude stringArray exclude paths from being scanned using a glob expression
-f, --fail-on string set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
--file string file to write the default report output to (default is STDOUT)
--from stringArray specify the source behavior to use (e.g. docker, registry, podman, oci-dir, ...)
-h, --help help for grype
--ignore-states string ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
--name string set the name of the target being analyzed
--only-fixed ignore matches for vulnerabilities that are not fixed
--only-notfixed ignore matches for vulnerabilities that are fixed
-o, --output stringArray report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to analyze, options=[squashed all-layers deep-squashed] (default "squashed")
--show-suppressed show suppressed/ignored vulnerabilities in the output (only supported with table output format)
--sort-by string sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (default "risk")
-t, --template string specify the path to a Go template file (requires 'template' output to be selected)
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for grype
--vex stringArray a list of VEX documents to consider when producing scanning results
Use "grype [command] --help" for more information about a command.
grype config
Show the grype configuration.
Usage:
grype config [flags]
grype config [command]
Available Commands:
locations shows all locations and the order in which grype will look for a configuration file
Flags:
-h, --help help for config
--load load and validate the grype configuration
grype db check
Check to see if there is a database update available.
Usage:
grype db check [flags]
Flags:
-h, --help help for check
-o, --output string format to display results (available=[text, json]) (default "text")
grype db delete
Delete the vulnerability database.
Usage:
grype db delete [flags]
Flags:
-h, --help help for delete
grype db import
Import a vulnerability database archive from a local FILE or URL.
DB archives can be obtained from “https://grype.anchore.io/databases" (or running db list). If the URL has a checksum query parameter with a fully qualified digest (e.g. ‘sha256:abc728…’) then the archive/DB will be verified against this value.
Usage:
grype db import FILE | URL [flags]
Flags:
-h, --help help for import
grype db list
List all DBs available according to the listing URL.
Usage:
grype db list [flags]
Flags:
-h, --help help for list
-o, --output string format to display results (available=[text, raw, json]) (default "text")
grype db providers
List vulnerability providers that are in the database.
Usage:
grype db providers [flags]
Flags:
-h, --help help for providers
-o, --output string format to display results (available=[table, json]) (default "table")
grype db search
Search the DB for vulnerabilities or affected packages.
Usage:
grype db search [flags]
grype db search [command]
Examples:
Search for affected packages by vulnerability ID:
$ grype db search --vuln ELSA-2023-12205
Search for affected packages by package name:
$ grype db search --pkg log4j
Search for affected packages by package name, filtering down to a specific vulnerability:
$ grype db search --pkg log4j --vuln CVE-2021-44228
Search for affected packages by PURL (note: version is not considered):
$ grype db search --pkg 'pkg:rpm/redhat/openssl' # or: '--ecosystem rpm --pkg openssl
Search for affected packages by CPE (note: version/update is not considered):
$ grype db search --pkg 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*:*:*'
$ grype db search --pkg 'cpe:/a:jetty:jetty_http_server'
Available Commands:
vuln Search for vulnerabilities within the DB (supports DB schema v6+ only)
Flags:
--broad-cpe-matching allow for specific package CPE attributes to match with '*' values on the vulnerability
--distro stringArray refine to results with the given operating system (format: 'name', 'name[-:@]version', 'name[-:@]maj.min', 'name[-:@]codename')
--ecosystem string ecosystem of the package to search within
--fixed-state stringArray only show vulnerabilities with the given fix state (fixed, not-fixed, unknown, wont-fix)
-h, --help help for search
--limit int limit the number of results returned, use 0 for no limit (default 5000)
--modified-after string only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD)
-o, --output string format to display results (available=[table, json]) (default "table")
--pkg stringArray package name/CPE/PURL to search for
--provider stringArray only show vulnerabilities from the given provider
--published-after string only show vulnerabilities originally published after the given date (format: YYYY-MM-DD)
--vuln stringArray only show results for the given vulnerability ID
grype db status
Display database status and metadata.
Usage:
grype db status [flags]
Flags:
-h, --help help for status
-o, --output string format to display results (available=[text, json]) (default "text")
grype db update
Download and install the latest vulnerability database.
Usage:
grype db update [flags]
Flags:
-h, --help help for update
grype explain
Ask grype to explain a set of findings.
Usage:
grype explain --id [VULNERABILITY ID] [flags]
Flags:
-h, --help help for explain
--id stringArray CVE IDs to explain
grype version
Show version information.
Usage:
grype version [flags]
Flags:
-h, --help help for version
-o, --output string the format to show the results (allowable: [text json]) (default "text")
5 - Grype Configuration Reference
Note
This documentation was generated with Grype version0.104.0.Grype searches for configuration files in the following locations, in order:
./.grype.yaml- current working directory./.grype/config.yaml- app subdirectory in current working directory~/.grype.yaml- home directory$XDG_CONFIG_HOME/grype/config.yaml- XDG config directory
The configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
For general information about how config and environment variables are handled, see the Configuration Reference section.
log:
# suppress all logging output (env: GRYPE_LOG_QUIET)
quiet: false
# explicitly set the logging level (available: [error warn info debug trace]) (env: GRYPE_LOG_LEVEL)
level: "warn"
# file path to write logs to (env: GRYPE_LOG_FILE)
file: ""
dev:
# capture resource profiling data (available: [cpu, mem]) (env: GRYPE_DEV_PROFILE)
profile: ""
db:
# (env: GRYPE_DEV_DB_DEBUG)
debug: false
# the output format of the vulnerability report (options: table, template, json, cyclonedx)
# when using template as the output type, you must also provide a value for 'output-template-file' (env: GRYPE_OUTPUT)
output: []
# if using template output, you must provide a path to a Go template file
# see https://github.com/anchore/grype#using-templates for more information on template output
# the default path to the template file is the current working directory
# output-template-file: .grype/html.tmpl
#
# write output report to a file (default is to write to stdout) (env: GRYPE_FILE)
file: ""
# pretty-print output (env: GRYPE_PRETTY)
pretty: false
# distro to match against in the format: <distro>[-:@]<version> (env: GRYPE_DISTRO)
distro: ""
# generate CPEs for packages with no CPE data (env: GRYPE_ADD_CPES_IF_NONE)
add-cpes-if-none: false
# specify the path to a Go template file (requires 'template' output to be selected) (env: GRYPE_OUTPUT_TEMPLATE_FILE)
output-template-file: ""
# enable/disable checking for application updates on startup (env: GRYPE_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# ignore matches for vulnerabilities that are not fixed (env: GRYPE_ONLY_FIXED)
only-fixed: false
# ignore matches for vulnerabilities that are fixed (env: GRYPE_ONLY_NOTFIXED)
only-notfixed: false
# ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix] (env: GRYPE_IGNORE_WONTFIX)
ignore-wontfix: ""
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: GRYPE_PLATFORM)
platform: ""
search:
# selection of layers to analyze, options=[squashed all-layers deep-squashed] (env: GRYPE_SEARCH_SCOPE)
scope: "squashed"
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_UNINDEXED_ARCHIVES)
unindexed-archives: false
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_INDEXED_ARCHIVES)
indexed-archives: true
# A list of vulnerability ignore rules, one or more property may be specified and all matching vulnerabilities will be ignored.
# This is the full set of supported rule fields:
# - vulnerability: CVE-2008-4318
# fix-state: unknown
# package:
# name: libcurl
# version: 1.5.1
# type: npm
# location: "/usr/local/lib/node_modules/**"
#
# VEX fields apply when Grype reads vex data:
# - vex-status: not_affected
# vex-justification: vulnerable_code_not_present
ignore: []
# a list of globs to exclude from scanning, for example:
# - '/etc/**'
# - './out/**/*.json'
# same as --exclude (env: GRYPE_EXCLUDE)
exclude: []
external-sources:
# enable Grype searching network source for additional information (env: GRYPE_EXTERNAL_SOURCES_ENABLE)
enable: false
maven:
# search for Maven artifacts by SHA1 (env: GRYPE_EXTERNAL_SOURCES_MAVEN_SEARCH_MAVEN_UPSTREAM)
search-maven-upstream: true
# base URL of the Maven repository to search (env: GRYPE_EXTERNAL_SOURCES_MAVEN_BASE_URL)
base-url: "https://search.maven.org/solrsearch/select"
# (env: GRYPE_EXTERNAL_SOURCES_MAVEN_RATE_LIMIT)
rate-limit: 300ms
match:
java:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVA_USING_CPES)
using-cpes: false
jvm:
# (env: GRYPE_MATCH_JVM_USING_CPES)
using-cpes: true
dotnet:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_DOTNET_USING_CPES)
using-cpes: false
golang:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_GOLANG_USING_CPES)
using-cpes: false
# use CPE matching to find vulnerabilities for the Go standard library (env: GRYPE_MATCH_GOLANG_ALWAYS_USE_CPE_FOR_STDLIB)
always-use-cpe-for-stdlib: true
# allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...) (env: GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON)
allow-main-module-pseudo-version-comparison: false
javascript:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVASCRIPT_USING_CPES)
using-cpes: false
python:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_PYTHON_USING_CPES)
using-cpes: false
ruby:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUBY_USING_CPES)
using-cpes: false
rust:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUST_USING_CPES)
using-cpes: false
stock:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_STOCK_USING_CPES)
using-cpes: true
# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical) (env: GRYPE_FAIL_ON_SEVERITY)
fail-on-severity: ""
registry:
# skip TLS verification when communicating with the registry (env: GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry (env: GRYPE_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
# Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
# - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
# username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
# password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
# token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
# tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
# tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
auth: []
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: GRYPE_REGISTRY_CA_CERT)
ca-cert: ""
# show suppressed/ignored vulnerabilities in the output (only supported with table output format) (env: GRYPE_SHOW_SUPPRESSED)
show-suppressed: false
# orient results by CVE instead of the original vulnerability ID when possible (env: GRYPE_BY_CVE)
by-cve: false
# sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (env: GRYPE_SORT_BY)
sort-by: "risk"
# same as --name; set the name of the target being analyzed (env: GRYPE_NAME)
name: ""
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: GRYPE_DEFAULT_IMAGE_PULL_SOURCE)
default-image-pull-source: ""
# specify the source behavior to use (e.g. docker, registry, podman, oci-dir, ...) (env: GRYPE_FROM)
from: []
# a list of VEX documents to consider when producing scanning results (env: GRYPE_VEX_DOCUMENTS)
vex-documents: []
# VEX statuses to consider as ignored rules (env: GRYPE_VEX_ADD)
vex-add: []
# match kernel-header packages with upstream kernel as kernel vulnerabilities (env: GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS)
match-upstream-kernel-headers: false
fix-channel:
redhat-eus:
# whether fixes from this channel should be considered, options are "never", "always", or "auto" (conditionally applied based on SBOM data) (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_APPLY)
apply: "auto"
# (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_VERSIONS)
versions: ">= 8.0"
# (env: GRYPE_TIMESTAMP)
timestamp: true
db:
# location to write the vulnerability database cache (env: GRYPE_DB_CACHE_DIR)
cache-dir: "~/.cache/grype/db"
# URL of the vulnerability database (env: GRYPE_DB_UPDATE_URL)
update-url: "https://grype.anchore.io/databases"
# certificate to trust download the database and listing file (env: GRYPE_DB_CA_CERT)
ca-cert: ""
# check for database updates on execution (env: GRYPE_DB_AUTO_UPDATE)
auto-update: true
# validate the database matches the known hash each execution (env: GRYPE_DB_VALIDATE_BY_HASH_ON_START)
validate-by-hash-on-start: true
# ensure db build is no older than the max-allowed-built-age (env: GRYPE_DB_VALIDATE_AGE)
validate-age: true
# Max allowed age for vulnerability database,
# age being the time since it was built
# Default max age is 120h (or five days) (env: GRYPE_DB_MAX_ALLOWED_BUILT_AGE)
max-allowed-built-age: 120h0m0s
# fail the scan if unable to check for database updates (env: GRYPE_DB_REQUIRE_UPDATE_CHECK)
require-update-check: false
# Timeout for downloading GRYPE_DB_UPDATE_URL to see if the database needs to be downloaded
# This file is ~156KiB as of 2024-04-17 so the download should be quick; adjust as needed (env: GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT)
update-available-timeout: 30s
# Timeout for downloading actual vulnerability DB
# The DB is ~156MB as of 2024-04-17 so slower connections may exceed the default timeout; adjust as needed (env: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT)
update-download-timeout: 5m0s
# Maximum frequency to check for vulnerability database updates (env: GRYPE_DB_MAX_UPDATE_CHECK_FREQUENCY)
max-update-check-frequency: 2h0m0s
exp:
6 - Grant Command Line Reference
Note
This documentation was generated with Grant version0.5.1.Grant helps you view licenses for container images, SBOM documents, and filesystems. Apply filters and views that can help you build a picture of licenses in your SBOM.
Usage:
grant [command]
Available Commands:
check Check license compliance for one or more targets
completion Generate the autocompletion script for the specified shell
config Generate a comprehensive configuration file
help Help about any command
list List licenses found in one or more targets
version Show the version information for grant
Flags:
-c, --config string path to configuration file
-h, --help help for grant
--no-output suppress terminal output when writing to file
-o, --output string output format (table, json) (default "table")
-f, --output-file string write JSON output to file (sets output format to json)
-q, --quiet suppress all non-essential output
-v, --verbose enable verbose output
--version version for grant
Use "grant [command] --help" for more information about a command.
grant check
Check evaluates license compliance for container images, SBOMs, filesystems, and files.
Targets can be:
Container images: alpine:latest, ubuntu:22.04
SBOM files: path/to/sbom.json, path/to/sbom.json
Directories: dir:./project, ./my-app
Archive files: project.tar.gz, source.zip
License files: LICENSE, COPYING
Stdin: - (reads SBOM from stdin)
Exit codes:
0: All targets are compliant
1: One or more targets are non-compliant or an error occurred.
Usage:
grant check [TARGET...] [flags]
Flags:
--disable-file-search disable filesystem license file search
--dry-run run check without returning non-zero exit code on violations
-h, --help help for check
--summary show only summary information
--unlicensed show only packages without licenses
grant config
Generate a complete YAML configuration file with all available Grant options.
This command outputs a comprehensive configuration file that includes:
License policy options (allow lists, ignore patterns)
Command-line options with defaults
Detailed comments explaining each option
The generated configuration can be saved to a file and customized as needed.
Usage:
grant config [flags]
Flags:
-h, --help help for config
-o, --output string output file path (default: stdout)
grant list
List shows all licenses found in container images, SBOMs, filesystems, and files
without applying policy evaluation.
Targets can be:
Container images: alpine:latest, ubuntu:22.04
SBOM files: path/to/sbom.json, path/to/sbom.xml
Directories: dir:./project, ./my-app
Archive files: project.tar.gz, source.zip
License files: LICENSE, COPYING
Stdin: - (reads SBOM from stdin)
When no target is specified and stdin is available (piped input), grant will
automatically read from stdin. This allows usage like:
syft -o json dir:. | grant list Apache-2.0
License filtering:
If license names are provided as additional arguments, only packages with those
specific licenses will be shown. For example:
grant list dir:. “MIT” “Apache-2.0”
syft -o json dir:. | grant list “MIT” “Apache-2.0”
This command always returns exit code 0 unless there are processing errors.
Usage:
grant list [TARGET] [LICENSE...] [flags]
Flags:
--disable-file-search disable filesystem license file search
--group-by string group results by specified field (risk)
-h, --help help for list
--pkg string show detailed information for a specific package (requires license filter)
--unlicensed show only packages without licenses
grant version
Show the version information for grant.
Usage:
grant version [flags]
Flags:
-h, --help help for version
7 - Data sources
Complete list of data sources used by Grype for vulnerability scanning
The following are a list of data sources used to directly match packages to vulnerabilities in Grype:
| Data Source | Vunnel Provider | Ecosystems |
|---|---|---|
| AlmaLinux OSV Database | alma | RPM |
| Alpine SecDB | alpine | APK |
| Amazon Linux Security Center | amazon | RPM |
| Microsoft AzureLinux OVAL | mariner | RPM |
| Bitnami Vulnerability Database | bitnami | Bitnami |
| Chainguard Security | chainguard | APK |
| Chainguard Libraries (OpenVEX) | chainguard_libraries | |
| Debian Security Tracker | debian | DPKG |
| ECHO Security | echo | DPKG |
| GitHub Security Advisories | github | .NET, GitHub Actions, Go, Java, JavaScript, Python, Ruby, Rust |
| Microsoft CBL-Mariner OVAL | mariner | RPM |
| MINIMOS Security | minimos | APK |
| National Vulnerability Database (NVD) | nvd | .NET, APK, Go, Java, JavaScript, Python, Ruby, Rust |
| Oracle Linux Security | oracle | RPM |
| Red Hat Security Data API | rhel | RPM |
| SUSE Security OVAL | sles | RPM |
| Ubuntu CVE Tracker | ubuntu | DPKG |
| Wolfi Security | wolfi | APK |
Capabilities
Here are the capabilities of each data source as Grype uses them:
What do these columns mean?
For a detailed explanation of the columns in the table, please see the Capabilities overview.| Data Source | Advisories | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|---|
| Affected | Date | Versions | Date | |||
| AlmaLinux OSV Database | ALSA | |||||
| Alpine SecDB | ||||||
| Amazon Linux Security Center | ALAS | |||||
| Microsoft AzureLinux OVAL | ||||||
| Bitnami Vulnerability Database | ||||||
| Chainguard Security | CGA | |||||
| Chainguard Libraries (OpenVEX) | CGA | |||||
| Debian Security Tracker | DSA | |||||
| ECHO Security | ECHO | |||||
| GitHub Security Advisories | GHSA | |||||
| Microsoft CBL-Mariner OVAL | ||||||
| MINIMOS Security | ||||||
| National Vulnerability Database (NVD) | CVE | |||||
| Oracle Linux Security | ELSA | |||||
| Red Hat Security Data API | RHSA | |||||
| SUSE Security OVAL | SUSE-SU | |||||
| Ubuntu CVE Tracker | USN | |||||
| Wolfi Security | CGA | |||||
Auxiliary data
We additionally have auxiliary data sources that are used to enhance vulnerability matching in Grype:
| Data Source | Vunnel Provider | Description |
|---|---|---|
| Exploit Prediction Scoring System | epss | Data-driven effort by FIRST to predict the likelihood that a software vulnerability will be exploited. Provides daily-updated probability scores (0-1) and percentile rankings for CVE prioritization. |
| CISA Known Exploited Vulnerabilities | kev | CISA's authoritative catalog of vulnerabilities known to be actively exploited in the wild. Provides exploitation status, required remediation actions, due dates, and ransomware campaign associations. |
These sources are cross-cutting in nature and are not tied to a specific distribution or ecosystem (though, primarily enriching information about CVEs specifically).
8 - Grant Configuration Reference
Note
This documentation was generated with Grant version0.5.1.Grant searches for configuration files in the following locations, in order:
./.grant.yaml- current working directory./.grant/config.yaml- app subdirectory in current working directory~/.grant.yaml- home directory$XDG_CONFIG_HOME/grant/config.yaml- XDG config directory
The configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
For general information about how config and environment variables are handled, see the Configuration Reference section.
# Grant License Compliance Configuration
# Complete configuration file with all available options
# See: https://github.com/anchore/grant
format: table # Output format: "table" or "json" (default: "table")
quiet: false # Suppress all non-essential output (default: false)
verbose: false # Enable verbose output (default: false)
# List of allowed license patterns (supports glob matching)
# Default behavior: DENY all licenses except those explicitly permitted
allow:
- MIT
- Apache-2.0
- BSD-3-Clause
# List of package patterns to ignore from license checking
# Supports glob patterns for flexible matching
ignore-packages: []
# Add package patterns to ignore here
# Examples:
# - "github.com/mycompany/*"
# - "internal/*"
# Policy enforcement options
require-license: true # When true, deny packages with no detected licenses
require-known-license: false # When true, deny non-SPDX / unparsable licenses
# ============================================================================
# COMMAND-SPECIFIC OPTIONS
# ============================================================================
disable-file-search: false # Disable filesystem license file search
summary: false # Show only summary information for check command
# Show only packages without licenses (default: false)
only-unlicensed: false # maps to grant check --unlicensed || grant list --unlicensed
9 - Configuration Rules
Configuration patterns and options used across all Anchore OSS tools
All Anchore open source tools (Syft, Grype, Grant) share the same configuration system. This guide explains how to configure these tools using command-line flags, environment variables, and configuration files.
Configuration precedence
When you configure a tool, settings are applied in a specific order. If the same setting is specified in multiple places, the tool uses the value from the highest-priority source:
- Command-line arguments (highest priority)
- Environment variables
- Explicit config file (
-c PATHor--config PATH) - Auto-discovered configuration file
- Default values (lowest priority)
For example, if you set the log level using all three methods, the command-line flag overrides the environment variable, which overrides the config file value.
Tip
Running a tool with-vv log level prints the entire active configuration at startup, showing you exactly which values are being used.Viewing your configuration
To see available configuration options and current settings:
syft --help— shows all command-line flagssyft config— prints a complete sample configuration filesyft config --load— displays your current active configuration
Replace syft with the tool you’re using (grype, grant, etc.).
Specifying a configuration file
You can explicitly specify a configuration file using the -c or --config flag,
which overrides the auto-discovery behavior.
syft alpine:latest -c /path/to/config.yaml
grype alpine:latest --config ~/.grype-custom.yaml
grant check . -c ./grant-config.yaml
Syft and Grype support multiple configuration files by specifying the flag multiple times:
syft alpine:latest -c base.yaml -c overrides.yaml
When multiple files are specified, individual settings from later files override earlier ones.
Using environment variables
Every configuration option can be set via environment variable. The variable name follows the path to the setting in the configuration file.
Example: To enable pretty-printed JSON output, the config file setting is:
format:
json:
pretty: true
The path from root to this value is format → json → pretty, so the environment variable is:
export SYFT_FORMAT_JSON_PRETTY=true
The pattern is: <TOOL>_<PATH>_<TO>_<SETTING> where:
<TOOL>is the uppercase tool name (SYFT,GRYPE,GRANT)- Path segments are joined with underscores
- All letters are uppercase
More examples:
# Set log level to debug
export SYFT_LOG_LEVEL=debug
# Configure output format
export GRYPE_OUTPUT=json
# Set registry credentials
export SYFT_REGISTRY_AUTH_USERNAME=myuser
Configuration file auto-discovery
When you don’t specify a configuration file with -c, the tool automatically searches for one.
Configuration files use YAML format. The tool searches these locations in order and uses the first file it finds:
.syft.yaml(in current directory).syft/config.yaml(in current directory)~/.syft.yaml(in home directory)<XDG_CONFIG_HOME>/syft/config.yaml(typically~/.config/syft/config.yaml)
Replace syft with your tool name (grype, grant, etc.).