This is the multi-page printable view of this section. Click here to print.
Reference
Reference for Anchore OSS Tools
1 - Grype Command Line Reference
Note
This documentation was generated from Grype version0.100.0.
A vulnerability scanner for container images, filesystems, and SBOMs.
Supports the following image sources:
grype yourrepo/yourimage:tag defaults to using images from a Docker daemon
grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon
grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon
grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)
grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
grype dir:path/to/yourproject read directly from a path on disk (any directory)
grype file:path/to/yourfile read directly from a file on disk
grype sbom:path/to/syft.json read Syft JSON from path on disk
grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
grype purl:path/to/purl/file read a newline separated file of package URLs from a path on disk
grype PURL read a single package PURL directly (e.g. pkg:apk/openssl@3.2.1?distro=alpine-3.20.3)
grype CPE read a single CPE directly (e.g. cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*)
You can also pipe in Syft JSON directly:
syft yourimage:tag -o json | grype
Usage:
grype [IMAGE] [flags]
grype [command]
Available Commands:
completion Generate a shell completion for Grype (listing local docker images)
config show the grype configuration
db vulnerability database operations
explain Ask grype to explain a set of findings
help Help about any command
version show version information
Flags:
--add-cpes-if-none generate CPEs for packages with no CPE data
--by-cve orient results by CVE instead of the original vulnerability ID when possible
-c, --config stringArray grype configuration file(s) to use
--distro string distro to match against in the format: <distro>:<version>
--exclude stringArray exclude paths from being scanned using a glob expression
-f, --fail-on string set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]
--file string file to write the default report output to (default is STDOUT)
-h, --help help for grype
--ignore-states string ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix]
--name string set the name of the target being analyzed
--only-fixed ignore matches for vulnerabilities that are not fixed
--only-notfixed ignore matches for vulnerabilities that are fixed
-o, --output stringArray report output formatter, formats=[json table cyclonedx cyclonedx-json sarif template], deprecated formats=[embedded-cyclonedx-vex-json embedded-cyclonedx-vex-xml]
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to analyze, options=[squashed all-layers deep-squashed] (default "squashed")
--show-suppressed show suppressed/ignored vulnerabilities in the output (only supported with table output format)
--sort-by string sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (default "risk")
-t, --template string specify the path to a Go template file (requires 'template' output to be selected)
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for grype
--vex stringArray a list of VEX documents to consider when producing scanning results
Use "grype [command] --help" for more information about a command.
grype config
Show the grype configuration.
Usage:
grype config [flags]
grype config [command]
Available Commands:
locations shows all locations and the order in which grype will look for a configuration file
Flags:
-h, --help help for config
--load load and validate the grype configuration
grype db check
Check to see if there is a database update available.
Usage:
grype db check [flags]
Flags:
-h, --help help for check
-o, --output string format to display results (available=[text, json]) (default "text")
grype db delete
Delete the vulnerability database.
Usage:
grype db delete [flags]
Flags:
-h, --help help for delete
grype db import
Import a vulnerability database archive from a local FILE or URL.
DB archives can be obtained from “https://grype.anchore.io/databases” (or running db list). If the URL has a checksum query parameter with a fully qualified digest (e.g. ‘sha256:abc728…’) then the archive/DB will be verified against this value.
Usage:
grype db import FILE | URL [flags]
Flags:
-h, --help help for import
grype db list
List all DBs available according to the listing URL.
Usage:
grype db list [flags]
Flags:
-h, --help help for list
-o, --output string format to display results (available=[text, raw, json]) (default "text")
grype db providers
List vulnerability providers that are in the database.
Usage:
grype db providers [flags]
Flags:
-h, --help help for providers
-o, --output string format to display results (available=[table, json]) (default "table")
grype db search
Search the DB for vulnerabilities or affected packages.
Usage:
grype db search [flags]
grype db search [command]
Examples:
Search for affected packages by vulnerability ID:
$ grype db search --vuln ELSA-2023-12205
Search for affected packages by package name:
$ grype db search --pkg log4j
Search for affected packages by package name, filtering down to a specific vulnerability:
$ grype db search --pkg log4j --vuln CVE-2021-44228
Search for affected packages by PURL (note: version is not considered):
$ grype db search --pkg 'pkg:rpm/redhat/openssl' # or: '--ecosystem rpm --pkg openssl
Search for affected packages by CPE (note: version/update is not considered):
$ grype db search --pkg 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*:*:*'
$ grype db search --pkg 'cpe:/a:jetty:jetty_http_server'
Available Commands:
vuln Search for vulnerabilities within the DB (supports DB schema v6+ only)
Flags:
--broad-cpe-matching allow for specific package CPE attributes to match with '*' values on the vulnerability
--distro stringArray refine to results with the given operating system (format: 'name', 'name@version', 'name@maj.min', 'name@codename')
--ecosystem string ecosystem of the package to search within
-h, --help help for search
--limit int limit the number of results returned, use 0 for no limit (default 5000)
--modified-after string only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD)
-o, --output string format to display results (available=[table, json]) (default "table")
--pkg stringArray package name/CPE/PURL to search for
--provider stringArray only show vulnerabilities from the given provider
--published-after string only show vulnerabilities originally published after the given date (format: YYYY-MM-DD)
--vuln stringArray only show results for the given vulnerability ID
grype db status
Display database status and metadata.
Usage:
grype db status [flags]
Flags:
-h, --help help for status
-o, --output string format to display results (available=[text, json]) (default "text")
grype db update
Download and install the latest vulnerability database.
Usage:
grype db update [flags]
Flags:
-h, --help help for update
grype explain
Ask grype to explain a set of findings.
Usage:
grype explain --id [VULNERABILITY ID] [flags]
Flags:
-h, --help help for explain
--id stringArray CVE IDs to explain
grype version
Show version information.
Usage:
grype version [flags]
Flags:
-h, --help help for version
-o, --output string the format to show the results (allowable: [text json]) (default "text")
2 - Syft Command Line Reference
Note
This documentation was generated from Syft version1.33.0.
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems
Usage:
syft [SOURCE] [flags]
syft [command]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Available Commands:
attest Generate an SBOM as an attestation for the given [SOURCE] container image
cataloger Show available catalogers and configuration
completion Generate the autocompletion script for the specified shell
config show the syft configuration
convert Convert between SBOM formats
help Help about any command
login Log in to a registry
scan Generate an SBOM
version show version information
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-c, --config stringArray syft configuration file(s) to use
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for syft
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for syft
Use "syft [command] --help" for more information about a command.
syft attest
Generate a packaged-based Software Bill Of Materials (SBOM) from a container image as the predicate of an in-toto attestation that will be uploaded to the image registry.
Usage:
syft attest --output [FORMAT] <IMAGE> [flags]
Examples:
syft attest --output [FORMAT] alpine:latest defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry
You can also explicitly specify the scheme to use:
syft attest docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft attest podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft attest registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft attest docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft attest oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft attest oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft attest singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript)
--exclude stringArray exclude paths from being scanned using a glob expression
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for attest
-k, --key string the key to use for the attestation
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
syft cataloger list
List available catalogers.
Usage:
syft cataloger list [OPTIONS] [flags]
Flags:
-h, --help help for list
-o, --output string format to output the cataloger list (available: table, json)
--override-default-catalogers stringArray override the default catalogers with an expression (default [all])
--select-catalogers stringArray select catalogers with an expression
-s, --show-hidden show catalogers that have been de-selected
syft config
Show the syft configuration.
Usage:
syft config [flags]
syft config [command]
Available Commands:
locations shows all locations and the order in which syft will look for a configuration file
Flags:
-h, --help help for config
--load load and validate the syft configuration
syft convert
[Experimental] Convert SBOM files to, and from, SPDX, CycloneDX and Syft’s format. For more info about data loss between formats see https://github.com/anchore/syft/wiki/format-conversion.
Usage:
syft convert [SOURCE-SBOM] -o [FORMAT] [flags]
Examples:
syft convert img.syft.json -o spdx-json convert a syft SBOM to spdx-json, output goes to stdout
syft convert img.syft.json -o cyclonedx-json=img.cdx.json convert a syft SBOM to CycloneDX, output is written to the file "img.cdx.json"
syft convert - -o spdx-json convert an SBOM from STDIN to spdx-json
Flags:
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
-h, --help help for convert
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
-t, --template string specify the path to a Go template file
syft login
Log in to a registry.
Usage:
syft login [OPTIONS] [SERVER] [flags]
Examples:
# Log in to reg.example.com
syft login reg.example.com -u AzureDiamond -p hunter2
Flags:
-h, --help help for login
-p, --password string Password
--password-stdin Take the password from stdin
-u, --username string Username
syft scan
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems.
Usage:
syft scan [SOURCE] [flags]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for scan
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-supplier string the organization that supplied the component, which often may be the manufacturer, distributor, or repackager
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
syft version
Show version information.
Usage:
syft version [flags]
Flags:
-h, --help help for version
-o, --output string the format to show the results (allowable: [text json]) (default "text")
3 - Grype Default Configuration
Note
This documentation was generated from Grype version0.100.0.
Grype searches for configuration files in the following locations, in order:
./.grype.yaml- current working directory./.grype/config.yaml- app subdirectory in current working directory~/.grype.yaml- home directory$XDG_CONFIG_HOME/grype/config.yaml- XDG config directory
The configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
log:
# suppress all logging output (env: GRYPE_LOG_QUIET)
quiet: false
# explicitly set the logging level (available: [error warn info debug trace]) (env: GRYPE_LOG_LEVEL)
level: "warn"
# file path to write logs to (env: GRYPE_LOG_FILE)
file: ""
dev:
# capture resource profiling data (available: [cpu, mem]) (env: GRYPE_DEV_PROFILE)
profile: ""
db:
# (env: GRYPE_DEV_DB_DEBUG)
debug: false
# the output format of the vulnerability report (options: table, template, json, cyclonedx)
# when using template as the output type, you must also provide a value for 'output-template-file' (env: GRYPE_OUTPUT)
output: []
# if using template output, you must provide a path to a Go template file
# see https://github.com/anchore/grype#using-templates for more information on template output
# the default path to the template file is the current working directory
# output-template-file: .grype/html.tmpl
#
# write output report to a file (default is to write to stdout) (env: GRYPE_FILE)
file: ""
# pretty-print output (env: GRYPE_PRETTY)
pretty: false
# distro to match against in the format: <distro>:<version> (env: GRYPE_DISTRO)
distro: ""
# generate CPEs for packages with no CPE data (env: GRYPE_ADD_CPES_IF_NONE)
add-cpes-if-none: false
# specify the path to a Go template file (requires 'template' output to be selected) (env: GRYPE_OUTPUT_TEMPLATE_FILE)
output-template-file: ""
# enable/disable checking for application updates on startup (env: GRYPE_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# ignore matches for vulnerabilities that are not fixed (env: GRYPE_ONLY_FIXED)
only-fixed: false
# ignore matches for vulnerabilities that are fixed (env: GRYPE_ONLY_NOTFIXED)
only-notfixed: false
# ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix] (env: GRYPE_IGNORE_WONTFIX)
ignore-wontfix: ""
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: GRYPE_PLATFORM)
platform: ""
search:
# selection of layers to analyze, options=[squashed all-layers deep-squashed] (env: GRYPE_SEARCH_SCOPE)
scope: "squashed"
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_UNINDEXED_ARCHIVES)
unindexed-archives: false
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_INDEXED_ARCHIVES)
indexed-archives: true
# A list of vulnerability ignore rules, one or more property may be specified and all matching vulnerabilities will be ignored.
# This is the full set of supported rule fields:
# - vulnerability: CVE-2008-4318
# fix-state: unknown
# package:
# name: libcurl
# version: 1.5.1
# type: npm
# location: "/usr/local/lib/node_modules/**"
#
# VEX fields apply when Grype reads vex data:
# - vex-status: not_affected
# vex-justification: vulnerable_code_not_present
ignore: []
# a list of globs to exclude from scanning, for example:
# - '/etc/**'
# - './out/**/*.json'
# same as --exclude (env: GRYPE_EXCLUDE)
exclude: []
external-sources:
# enable Grype searching network source for additional information (env: GRYPE_EXTERNAL_SOURCES_ENABLE)
enable: false
maven:
# search for Maven artifacts by SHA1 (env: GRYPE_EXTERNAL_SOURCES_MAVEN_SEARCH_MAVEN_UPSTREAM)
search-maven-upstream: true
# base URL of the Maven repository to search (env: GRYPE_EXTERNAL_SOURCES_MAVEN_BASE_URL)
base-url: "https://search.maven.org/solrsearch/select"
# (env: GRYPE_EXTERNAL_SOURCES_MAVEN_RATE_LIMIT)
rate-limit: 300ms
match:
java:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVA_USING_CPES)
using-cpes: false
jvm:
# (env: GRYPE_MATCH_JVM_USING_CPES)
using-cpes: true
dotnet:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_DOTNET_USING_CPES)
using-cpes: false
golang:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_GOLANG_USING_CPES)
using-cpes: false
# use CPE matching to find vulnerabilities for the Go standard library (env: GRYPE_MATCH_GOLANG_ALWAYS_USE_CPE_FOR_STDLIB)
always-use-cpe-for-stdlib: true
# allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...) (env: GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON)
allow-main-module-pseudo-version-comparison: false
javascript:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVASCRIPT_USING_CPES)
using-cpes: false
python:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_PYTHON_USING_CPES)
using-cpes: false
ruby:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUBY_USING_CPES)
using-cpes: false
rust:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUST_USING_CPES)
using-cpes: false
stock:
# use CPE matching to find vulnerabilities (env: GRYPE_MATCH_STOCK_USING_CPES)
using-cpes: true
# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical) (env: GRYPE_FAIL_ON_SEVERITY)
fail-on-severity: ""
registry:
# skip TLS verification when communicating with the registry (env: GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry (env: GRYPE_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
# Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
# - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
# username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
# password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
# token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
# tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
# tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
auth: []
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: GRYPE_REGISTRY_CA_CERT)
ca-cert: ""
# show suppressed/ignored vulnerabilities in the output (only supported with table output format) (env: GRYPE_SHOW_SUPPRESSED)
show-suppressed: false
# orient results by CVE instead of the original vulnerability ID when possible (env: GRYPE_BY_CVE)
by-cve: false
# sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (env: GRYPE_SORT_BY)
sort-by: "risk"
# same as --name; set the name of the target being analyzed (env: GRYPE_NAME)
name: ""
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: GRYPE_DEFAULT_IMAGE_PULL_SOURCE)
default-image-pull-source: ""
# a list of VEX documents to consider when producing scanning results (env: GRYPE_VEX_DOCUMENTS)
vex-documents: []
# VEX statuses to consider as ignored rules (env: GRYPE_VEX_ADD)
vex-add: []
# match kernel-header packages with upstream kernel as kernel vulnerabilities (env: GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS)
match-upstream-kernel-headers: false
fix-channel:
redhat-eus:
# whether fixes from this channel should be considered, options are "never", "always", or "auto" (conditionally applied based on SBOM data) (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_APPLY)
apply: "auto"
# (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_VERSIONS)
versions: ">= 8.0"
# (env: GRYPE_TIMESTAMP)
timestamp: true
db:
# location to write the vulnerability database cache (env: GRYPE_DB_CACHE_DIR)
cache-dir: "~.cache~grype~db"
# URL of the vulnerability database (env: GRYPE_DB_UPDATE_URL)
update-url: "https://grype.anchore.io/databases"
# certificate to trust download the database and listing file (env: GRYPE_DB_CA_CERT)
ca-cert: ""
# check for database updates on execution (env: GRYPE_DB_AUTO_UPDATE)
auto-update: true
# validate the database matches the known hash each execution (env: GRYPE_DB_VALIDATE_BY_HASH_ON_START)
validate-by-hash-on-start: true
# ensure db build is no older than the max-allowed-built-age (env: GRYPE_DB_VALIDATE_AGE)
validate-age: true
# Max allowed age for vulnerability database,
# age being the time since it was built
# Default max age is 120h (or five days) (env: GRYPE_DB_MAX_ALLOWED_BUILT_AGE)
max-allowed-built-age: 120h0m0s
# fail the scan if unable to check for database updates (env: GRYPE_DB_REQUIRE_UPDATE_CHECK)
require-update-check: false
# Timeout for downloading GRYPE_DB_UPDATE_URL to see if the database needs to be downloaded
# This file is ~156KiB as of 2024-04-17 so the download should be quick; adjust as needed (env: GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT)
update-available-timeout: 30s
# Timeout for downloading actual vulnerability DB
# The DB is ~156MB as of 2024-04-17 so slower connections may exceed the default timeout; adjust as needed (env: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT)
update-download-timeout: 5m0s
# Maximum frequency to check for vulnerability database updates (env: GRYPE_DB_MAX_UPDATE_CHECK_FREQUENCY)
max-update-check-frequency: 2h0m0s
exp:
4 - Syft Default Configuration
Note
This documentation was generated from Syft version1.33.0.
Syft searches for configuration files in the following locations, in order:
./.syft.yaml- current working directory./.syft/config.yaml- app subdirectory in current working directory~/.syft.yaml- home directory$XDG_CONFIG_HOME/syft/config.yaml- XDG config directory
The configuration file can use either .yaml or .yml extensions. The first configuration file found will be used.
log:
# suppress all logging output (env: SYFT_LOG_QUIET)
quiet: false
# increase verbosity (-v = info, -vv = debug) (env: SYFT_LOG_VERBOSITY)
verbosity: 0
# explicitly set the logging level (available: [error warn info debug trace]) (env: SYFT_LOG_LEVEL)
level: "warn"
# file path to write logs to (env: SYFT_LOG_FILE)
file: ""
dev:
# capture resource profiling data (available: [cpu, mem]) (env: SYFT_DEV_PROFILE)
profile: ""
# the configuration file(s) used to load application configuration (env: SYFT_CONFIG)
config: ""
# the output format(s) of the SBOM report (options: syft-table, syft-text, syft-json, spdx-json, ...)
# to specify multiple output files in differing formats, use a list:
# output:
# - "syft-json=<syft-json-output-file>"
# - "spdx-json=<spdx-json-output-file>" (env: SYFT_OUTPUT)
output:
- "syft-table"
# file to write the default report output to (default is STDOUT) (env: SYFT_LEGACYFILE)
legacyFile: ""
format:
# default value for all formats that support the "pretty" option (default is unset) (env: SYFT_FORMAT_PRETTY)
pretty:
template:
# path to the template file to use when rendering the output with the template output format.
# Note that all template paths are based on the current syft-json schema (env: SYFT_FORMAT_TEMPLATE_PATH)
path: ""
# if true, uses the go structs for the syft-json format for templating.
# if false, uses the syft-json output for templating (which follows the syft JSON schema exactly).
#
# Note: long term support for this option is not guaranteed (it may change or break at any time) (env: SYFT_FORMAT_TEMPLATE_LEGACY)
legacy: false
json:
# transform any syft-json output to conform to an approximation of the v11.0.1 schema. This includes:
# - using the package metadata type names from before v12 of the JSON schema (changed in https://github.com/anchore/syft/pull/1983)
#
# Note: this will still include package types and fields that were added at or after json schema v12. This means
# that output might not strictly be json schema v11 compliant, however, for consumers that require time to port
# over to the final syft 1.0 json output this option can be used to ease the transition.
#
# Note: long term support for this option is not guaranteed (it may change or break at any time) (env: SYFT_FORMAT_JSON_LEGACY)
legacy: false
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_JSON_PRETTY)
pretty:
spdx-json:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_SPDX_JSON_PRETTY)
pretty:
cyclonedx-json:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_CYCLONEDX_JSON_PRETTY)
pretty:
cyclonedx-xml:
# include space indentation and newlines
# note: inherits default value from 'format.pretty' or 'false' if parent is unset (env: SYFT_FORMAT_CYCLONEDX_XML_PRETTY)
pretty:
# whether to check for an application update on start up or not (env: SYFT_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# enable one or more package catalogers (env: SYFT_CATALOGERS)
catalogers: []
# set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source) (env: SYFT_DEFAULT_CATALOGERS)
default-catalogers: []
# add, remove, and filter the catalogers to be used (env: SYFT_SELECT_CATALOGERS)
select-catalogers: []
package:
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger (env: SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES)
search-unindexed-archives: false
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger (env: SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES)
search-indexed-archives: true
# allows users to exclude synthetic binary packages from the sbom
# these packages are removed if an overlap with a non-synthetic package is found (env: SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
exclude-binary-overlap-by-ownership: true
license:
# include the content of licenses in the SBOM for a given syft scan; valid values are: [all unknown none] (env: SYFT_LICENSE_CONTENT)
content: "none"
# adjust the percent as a fraction of the total text, in normalized words, that
# matches any valid license for the given inputs, expressed as a percentage across all of the licenses matched. (env: SYFT_LICENSE_COVERAGE)
coverage: 75
file:
metadata:
# select which files should be captured by the file-metadata cataloger and included in the SBOM.
# Options include:
# - "all": capture all files from the search space
# - "owned-by-package": capture only files owned by packages
# - "none", "": do not capture any files (env: SYFT_FILE_METADATA_SELECTION)
selection: "owned-by-package"
# the file digest algorithms to use when cataloging files (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_FILE_METADATA_DIGESTS)
digests:
- "sha1"
- "sha256"
content:
# skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes) (env: SYFT_FILE_CONTENT_SKIP_FILES_ABOVE_SIZE)
skip-files-above-size: 256000
# file globs for the cataloger to match on (env: SYFT_FILE_CONTENT_GLOBS)
globs: []
executable:
# file globs for the cataloger to match on (env: SYFT_FILE_EXECUTABLE_GLOBS)
globs: []
# selection of layers to catalog, options=[squashed all-layers deep-squashed] (env: SYFT_SCOPE)
scope: "squashed"
# number of cataloger workers to run in parallel
# by default, when set to 0: this will be based on runtime.NumCPU * 4, if set to less than 0 it will be unbounded (env: SYFT_PARALLELISM)
parallelism: 0
relationships:
# include package-to-file relationships that indicate which files are owned by which packages (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP)
package-file-ownership: true
# include package-to-package relationships that indicate one package is owned by another due to files claimed to be owned by one package are also evidence of another package's existence (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP_OVERLAP)
package-file-ownership-overlap: true
compliance:
# action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
missing-name: "drop"
# action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
missing-version: "stub"
# Enable data enrichment operations, which can utilize services such as Maven Central and NPM.
# By default all enrichment is disabled, use: all to enable everything.
# Available options are: all, golang, java, javascript (env: SYFT_ENRICH)
enrich: []
dotnet:
# only keep dep.json packages which an executable on disk is found. The package is also included if a DLL is found for any child package, even if the package itself does not have a DLL. (env: SYFT_DOTNET_DEP_PACKAGES_MUST_HAVE_DLL)
dep-packages-must-have-dll: false
# only keep dep.json packages which have a runtime/resource DLL claimed in the deps.json targets section (but not necessarily found on disk). The package is also included if any child package claims a DLL, even if the package itself does not claim a DLL. (env: SYFT_DOTNET_DEP_PACKAGES_MUST_CLAIM_DLL)
dep-packages-must-claim-dll: true
# treat DLL claims or on-disk evidence for child packages as DLL claims or on-disk evidence for any parent package (env: SYFT_DOTNET_PROPAGATE_DLL_CLAIMS_TO_PARENTS)
propagate-dll-claims-to-parents: true
# show all packages from the deps.json if bundling tooling is present as a dependency (e.g. ILRepack) (env: SYFT_DOTNET_RELAX_DLL_CLAIMS_WHEN_BUNDLING_DETECTED)
relax-dll-claims-when-bundling-detected: true
golang:
# search for go package licences in the GOPATH of the system running Syft, note that this is outside the
# container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
search-local-mod-cache-licenses:
# specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
local-mod-cache-dir: "~go~pkg~mod"
# search for go package licences in the vendor folder on the system running Syft, note that this is outside the
# container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_VENDOR_LICENSES)
search-local-vendor-licenses:
# specify an explicit go vendor directory, if unset this defaults to ./vendor (env: SYFT_GOLANG_LOCAL_VENDOR_DIR)
local-vendor-dir: ""
# search for go package licences by retrieving the package from a network proxy (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# remote proxy to use when retrieving go packages from the network,
# if unset this defaults to $GOPROXY followed by https://proxy.golang.org (env: SYFT_GOLANG_PROXY)
proxy: "https://proxy.golang.org,direct"
# specifies packages which should not be fetched by proxy
# if unset this defaults to $GONOPROXY (env: SYFT_GOLANG_NO_PROXY)
no-proxy: ""
main-module-version:
# look for LD flags that appear to be setting a version (e.g. -X main.version=1.0.0) (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_LD_FLAGS)
from-ld-flags: true
# search for semver-like strings in the binary contents (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_CONTENTS)
from-contents: false
# use the build settings (e.g. vcs.version & vcs.time) to craft a v0 pseudo version
# (e.g. v0.0.0-20220308212642-53e6d0aaf6fb) when a more accurate version cannot be found otherwise (env: SYFT_GOLANG_MAIN_MODULE_VERSION_FROM_BUILD_SETTINGS)
from-build-settings: true
java:
# enables Syft to use the network to fetch version and license information for packages when
# a parent or imported pom file is not found in the local maven repository.
# the pom files are downloaded from the remote Maven repository at 'maven-url' (env: SYFT_JAVA_USE_NETWORK)
use-network:
# use the local Maven repository to retrieve pom files. When Maven is installed and was previously used
# for building the software that is being scanned, then most pom files will be available in this
# repository on the local file system. this greatly speeds up scans. when all pom files are available
# in the local repository, then 'use-network' is not needed.
# TIP: If you want to download all required pom files to the local repository without running a full
# build, run 'mvn help:effective-pom' before performing the scan with syft. (env: SYFT_JAVA_USE_MAVEN_LOCAL_REPOSITORY)
use-maven-local-repository:
# override the default location of the local Maven repository.
# the default is the subdirectory '.m2/repository' in your home directory (env: SYFT_JAVA_MAVEN_LOCAL_REPOSITORY_DIR)
maven-local-repository-dir: "~.m2~repository"
# maven repository to use, defaults to Maven central (env: SYFT_JAVA_MAVEN_URL)
maven-url: "https://repo1.maven.org/maven2"
# depth to recursively resolve parent POMs, no limit if <= 0 (env: SYFT_JAVA_MAX_PARENT_RECURSIVE_DEPTH)
max-parent-recursive-depth: 0
# resolve transient dependencies such as those defined in a dependency's POM on Maven central (env: SYFT_JAVA_RESOLVE_TRANSITIVE_DEPENDENCIES)
resolve-transitive-dependencies: false
javascript:
# enables Syft to use the network to fill in more detailed license information (env: SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES)
search-remote-licenses:
# base NPM url to use (env: SYFT_JAVASCRIPT_NPM_BASE_URL)
npm-base-url: ""
# include development-scoped dependencies (env: SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES)
include-dev-dependencies:
linux-kernel:
# whether to catalog linux kernel modules found within lib/modules/** directories (env: SYFT_LINUX_KERNEL_CATALOG_MODULES)
catalog-modules: true
nix:
# enumerate all files owned by packages found within Nix store paths (env: SYFT_NIX_CAPTURE_OWNED_FILES)
capture-owned-files: false
python:
# when running across entries in requirements.txt that do not specify a specific version
# (e.g. "sqlalchemy >= 1.0.0, <= 2.0.0, != 3.0.0, <= 3.0.0"), attempt to guess what the version could
# be based on the version requirements specified (e.g. "1.0.0"). When enabled the lowest expressible version
# when given an arbitrary constraint will be used (even if that version may not be available/published). (env: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS)
guess-unpinned-requirements: false
registry:
# skip TLS verification when communicating with the registry (env: SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry (env: SYFT_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
# Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
# - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
# username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
# password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
# token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
# tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
# tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
auth: []
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: SYFT_REGISTRY_CA_CERT)
ca-cert: ""
# specify the source behavior to use (e.g. docker, registry, oci-dir, ...) (env: SYFT_FROM)
from: []
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: SYFT_PLATFORM)
platform: ""
source:
# set the name of the target being analyzed (env: SYFT_SOURCE_NAME)
name: ""
# set the version of the target being analyzed (env: SYFT_SOURCE_VERSION)
version: ""
# the organization that supplied the component, which often may be the manufacturer, distributor, or repackager (env: SYFT_SOURCE_SUPPLIER)
supplier: ""
# (env: SYFT_SOURCE_SOURCE)
source: ""
# base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory (env: SYFT_SOURCE_BASE_PATH)
base-path: ""
file:
# the file digest algorithms to use on the scanned file (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_SOURCE_FILE_DIGESTS)
digests:
- "SHA-256"
image:
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: SYFT_SOURCE_IMAGE_DEFAULT_PULL_SOURCE)
default-pull-source: ""
# (env: SYFT_SOURCE_IMAGE_MAX_LAYER_SIZE)
max-layer-size: ""
# exclude paths from being scanned using a glob expression (env: SYFT_EXCLUDE)
exclude: []
unknowns:
# remove unknown errors on files with discovered packages (env: SYFT_UNKNOWNS_REMOVE_WHEN_PACKAGES_DEFINED)
remove-when-packages-defined: true
# include executables without any identified packages (env: SYFT_UNKNOWNS_EXECUTABLES_WITHOUT_PACKAGES)
executables-without-packages: true
# include archives which were not expanded and searched (env: SYFT_UNKNOWNS_UNEXPANDED_ARCHIVES)
unexpanded-archives: true
cache:
# root directory to cache any downloaded content; empty string will use an in-memory cache (env: SYFT_CACHE_DIR)
dir: "~.cache~syft"
# time to live for cached data; setting this to 0 will disable caching entirely (env: SYFT_CACHE_TTL)
ttl: "7d"
# show catalogers that have been de-selected (env: SYFT_SHOW_HIDDEN)
show-hidden: false
attest:
# the key to use for the attestation (env: SYFT_ATTEST_KEY)
key: ""
# password to decrypt to given private key
# additionally responds to COSIGN_PASSWORD env var (env: SYFT_ATTEST_PASSWORD)
password: ""
5 - Configuration Reference
Configuration patterns and options used across all Anchore OSS tools
All Anchore open source tools (Syft, Grype, Grant) share the same configuration system. This guide explains how to configure these tools using command-line flags, environment variables, and configuration files.
Configuration precedence
When you configure a tool, settings are applied in a specific order. If the same setting is specified in multiple places, the tool uses the value from the highest-priority source:
- Command-line arguments (highest priority)
- Environment variables
- Configuration file
- Default values (lowest priority)
For example, if you set the log level using all three methods, the command-line flag overrides the environment variable, which overrides the config file value.
Tip
Running a tool with--verbose or -vv log level prints the entire active configuration at startup, showing you exactly which values are being used.
Viewing your configuration
To see available configuration options and current settings:
syft --help— shows all command-line flagssyft config— prints a complete sample configuration filesyft config --load— displays your current active configuration
Replace syft with the tool you’re using (grype, grant, etc.).
Using environment variables
Every configuration option can be set via environment variable. The variable name follows the path to the setting in the configuration file.
Example: To enable pretty-printed JSON output, the config file setting is:
format:
json:
pretty: true
The path from root to this value is format → json → pretty, so the environment variable is:
export SYFT_FORMAT_JSON_PRETTY=true
The pattern is: <TOOL>_<PATH>_<TO>_<SETTING> where:
<TOOL>is the uppercase tool name (SYFT,GRYPE,GRANT)- Path segments are joined with underscores
- All letters are uppercase
More examples:
# Set log level to debug
export SYFT_LOG_LEVEL=debug
# Configure output format
export GRYPE_OUTPUT=json
# Set registry credentials
export SYFT_REGISTRY_AUTH_USERNAME=myuser
Using a configuration file
Configuration files use YAML format. The tool searches these locations in order and uses the first file it finds:
.syft.yaml(in current directory).syft/config.yaml(in current directory)~/.syft.yaml(in home directory)<XDG_CONFIG_HOME>/syft/config.yaml(typically~/.config/syft/config.yaml)
Replace syft with your tool name (grype, grant, etc.).