Getting Started

What is an SBOM?

A Software Bill of Materials (SBOM) is a detailed list of all libraries and components that make up software.

• For developers, it’s crucial for tracking dependencies, identifying vulnerabilities, and ensuring license compliance.

• For organizations, it provides transparency into the software supply chain to assess security risks.

Syft is a CLI tool for generating an SBOM from container images and filesystems.

Installation

Syft is provided as a single compiled executable and requires no external dependencies to run. Run the command for your platform to download the latest release.

• Platform:
• Linux (and macOS)
• macOS
• Windows

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

brew install syft

nuget install Anchore.Syft

Check out installation guide for full list of official and community-maintained packaging options.

Find packages within a container image

Run syft against a small container image; the output will be a simple human-readable table of the installed packages found:

syft alpine:latest

NAME                    VERSION      TYPE
alpine-baselayout       3.6.8-r1     apk
alpine-baselayout-data  3.6.8-r1     apk
alpine-keys             2.5-r0       apk
alpine-release          3.21.3-r0    apk
apk-tools               2.14.6-r3    apk
busybox                 1.37.0-r12   apk
busybox-binsh           1.37.0-r12   apk
...

Create an industry-standard SBOM

This command will display the human-readable table and write SBOMs in both SPDX and CycloneDX formats, the two primary industry standards.

syft alpine:latest \                 # what we're scanning
  -o table \                         # a human-readable table to stdout
  -o spdx-json=alpine.spdx.json \    # SPDX-JSON formatted SBOM to a file
  -o cyclonedx-json=alpine.cdx.json  # CycloneDX-JSON formatted SBOM to a file

The same table will be displayed, and two SBOM files will be created in the current directory.

Examine the SBOM file contents

We can use jq to extract specific package data from the SBOM files (by default Syft outputs JSON on a single line, but you can enable pretty-printing with the SYFT_FORMAT_PRETTY=true environment variable). Both formats structure package information differently:

SPDX format:

jq '.packages[].name' alpine.spdx.json

CycloneDX format:

jq '.components[].name' alpine.cdx.json

Both commands show the packages that Syft found in the container image:

"alpine-baselayout"
"alpine-baselayout-data"
"alpine-keys"
"alpine-release"
"apk-tools"
"busybox"
"busybox-binsh"
...

By default, Syft shows only software visible in the final container image (the “squashed” representation). To include software from all image layers, regardless of its presence in the final image, use --scope all-layers:

syft <image> --scope all-layers

FAQ

Does Syft need internet access?

Only for downloading container images. By default, scanning works offline.

What about private container registries?

Syft supports authentication for private registries. See Private Registries.

Can I use Syft in CI/CD pipelines?

Absolutely! Syft is designed for automation. Generate SBOMs during builds and scan them for vulnerabilities.

What data does Syft send externally?

Nothing. Syft runs entirely locally and doesn’t send any data to external services.

Next steps

Now that you’ve generated your first SBOM, here are additional resources:

• Scan for vulnerabilities: Use Grype to find security issues in your SBOMs
• Check licenses: Learn about License Scanning to understand dependency licenses
• Customize output: Explore different Output Formats for various tools and workflows
• Query SBOM data: Master Working with Syft JSON for advanced data extraction