This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installation

Official and community maintained packages of Anchore OSS Tools

1 - Syft

Installing Syft

Official builds

The Anchore OSS team publish official source archives and binary builds of Syft for Linux, macOS and Windows. There are also numerous community-maintained builds of the tools for different platforms.

Installer script

Syft binaries are provided for Linux, macOS and Windows.

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

Install script options:

-b: Specify a custom installation directory (defaults to ./bin)
-d: More verbose logging levels (-d for debug, -dd for trace)
-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

Updating Syft

Syft checks for new versions on launch. It will print a message at the end of the output if the version in use is not the latest.

A newer version of syft is available for download: 1.20.0 (installed version is 1.19.2)

Docker container

docker pull anchore/syft

GitHub releases

Download the file for your operating system and architecture from the GitHub releases page
In the case of .deb or .rpm, install them using your package manager
For compressed archives, unpack the file, and copy the syft binary to a folder in your path such as /usr/local/bin

Community builds of syft

Alpine Linux

apk add syft

Thanks to Michał Polański for maintaining this package.

Chocolatey

choco install syft -y

Homebrew

brew tap anchore/syft
brew install syft

HomeBrew packaging for Syft

Thanks to the Syft community for maintaining this package.

Kali Linux

sudo apt install syft

Thanks to Sophie Brun for maintaining this package.

Nix

Syft is available in the stable channel since NixOS 22.05.

nix-env -i syft

Alternatively, just try it out in an ephemeral nix shell.

nix-shell -p syft

Scoop

scoop install syft

WinGet

nuget install Anchore.syft

WinGet packaging for Syft

Thanks to Alan Pope for maintaining this package.

Snapcraft

snap install syft

Thanks to Alan Pope for maintaining this package.

2 - Grype

Installing Grype

Official builds

The Anchore OSS team publish official source archives and binary builds of Grype for Linux, macOS and Windows. There are also numerous community-maintained builds of the tools for different platforms.

Installer script

Grype binaries are provided for Linux, macOS and Windows.

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin

Install script options:

-b: Specify a custom installation directory (defaults to ./bin)
-d: More verbose logging levels (-d for debug, -dd for trace)
-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

Updating Grype

Grype checks for new versions on launch. It will print a message at the end of the output if the version in use is not the latest.

A newer version of grype is available for download: 0.92.0 (installed version is 0.91.2)

Docker container

docker pull anchore/grype

GitHub releases

Download the file for your operating system and architecture from the GitHub releases page
In the case of .deb or .rpm, install them using your package manager
For compressed archives, unpack the file, and copy the grype binary to a folder in your path such as /usr/local/bin

Community builds of Grype

Arch Linux

sudo pacman -S grype-bin

Homebrew

brew tap anchore/grype
brew install grype

MacPorts

sudo port install grype

NuGet

nuget install Anchore.Grype

Snapcraft

snap install grype

3 - Grant

Installing Grant

Official builds

The Anchore OSS team publish official source archives and binary builds for Linux and macOS. There are also some community-maintained builds of the tools for different platforms.

Installer script

Grant binaries are provided for Linux and macOS.

curl -sSfL https://get.anchore.io/grant | sudo sh -s -- -b /usr/local/bin

Install script options:

-b: Specify a custom installation directory (defaults to ./bin)
-d: More verbose logging levels (-d for debug, -dd for trace)
-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

GitHub releases

Download the file for your operating system and architecture from the GitHub releases page
In the case of .deb or .rpm, install them using your package manager
For compressed archives, unpack the file, and copy the grant binary to a folder in your path such as /usr/local/bin

Community builds of grant

Homebrew

brew tap anchore/grant
brew install grant

4 - Verifying Downloads

Verifying release assets after downloading

Why verify downloads?

Verifying your downloads ensures that:

The files haven’t been tampered with during transit
You’re installing authentic Anchore software
Your supply chain is secure from the start

All release artifacts include checksums, and the checksum file itself is cryptographically signed using cosign for verification.

Note

Installation scripts support automatic verification using the -v flag if you have cosign installed. This performs the same verification steps outlined below.

Prerequisites

Before verifying downloads, you need:

The binary you want to verify (see Installation)
Cosign installed (for signature verification)

Note: Checksum verification doesn’t require additional tools beyond your operating system’s built-in utilities.

Cosign signature verification

This method verifies that your download is both authentic (from Anchore) and hasn’t been tampered with.

Step 1: Download the files

Download your tool binary and the verification files from the appropriate GitHub releases page:

You’ll need:

The binary file (e.g., syft_1.23.1_darwin_arm64.tar.gz)
checksums.txt
checksums.txt.pem
checksums.txt.sig

Step 2: Verify the signature

Use cosign to verify the checksum file’s signature:

cosign verify-blob <path to checksums.txt> \
  --certificate <path to checksums.txt.pem> \
  --signature <path to checksums.txt.sig> \
  --certificate-identity-regexp 'https://github\.com/anchore/<tool-name>/\.github/workflows/.+' \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Replace <tool-name> with syft, grype, or grant depending on which tool you’re verifying.

Expected output on success:

Verified OK

Step 3: Verify the checksum

Once the signature is confirmed as valid, verify that the SHA256 checksum matches your downloaded file:

sha256sum --ignore-missing -c checksums.txt

Expected output on success:

<your-binary-file>: OK

Complete example

Here’s a complete example verifying Syft v1.23.1 for macOS ARM64:

Download the files:

# Download the binary
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_darwin_arm64.tar.gz

# Download verification files
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt.pem
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt.sig

Verify the signature:

cosign verify-blob ./syft_1.23.1_checksums.txt \
  --certificate ./syft_1.23.1_checksums.txt.pem \
  --signature ./syft_1.23.1_checksums.txt.sig \
  --certificate-identity-regexp 'https://github\.com/anchore/syft/\.github/workflows/.+' \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Output:

Verified OK

Verify the checksum:

sha256sum --ignore-missing -c syft_1.23.1_checksums.txt

Output:

syft_1.23.1_darwin_arm64.tar.gz: OK

Checksum verification

If you can’t use cosign, you can verify checksums manually. This verifies file integrity but not authenticity.

Security Note

Checksum verification only confirms the file hasn’t been corrupted. It doesn’t verify that the file is authentic. Use cosign verification when possible for better security.

Step 1: Download the files

Download your tool binary and the checksums file:

# Example for Syft v1.23.1
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_darwin_arm64.tar.gz
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt

Step 2: Verify the checksum

sha256sum --ignore-missing -c syft_1.23.1_checksums.txt

Expected output:

syft_1.23.1_darwin_arm64.tar.gz: OK

Troubleshooting

Verification failed

If cosign verification fails, check these common issues:

Mismatched certificate identity: Ensure you’re using the correct tool name (syft, grype, or grant) in the certificate identity pattern
Outdated cosign: Update to the latest version of cosign
Network connectivity: Cosign requires internet access to verify against transparency logs
Corrupted download: Try downloading the verification files again

Checksum doesn’t match

If the checksum verification fails:

Download again: The file may have been corrupted during download
Check the filename: Ensure you’re comparing the checksum for the correct file (right version, architecture, and tool)
Do not proceed: A mismatched checksum indicates a potential security issue or corruption

Security Warning

If verification fails repeatedly with newly downloaded files, do not use the binary. Report the issue on the appropriate GitHub repository.

Platform-specific issues

macOS:

If you get a “command not found” error for sha256sum, use shasum -a 256 instead
Example: shasum -a 256 syft_1.23.1_darwin_arm64.tar.gz

Windows:

Use PowerShell’s Get-FileHash command:

Get-FileHash .\syft_1.23.1_windows_amd64.zip -Algorithm SHA256

Need help?

If you’re still having issues:

Check the GitHub Discussions for your tool
Review the Cosign documentation
Open an issue on the appropriate repository