Capabilities describe the cross-cutting features available across Anchore’s tools:
- Package analysis: What Syft can catalog from package manifests, lock files, and installed packages
- Vulnerability scanning: What Grype can detect using vulnerability databases and matching rules
These capabilities are ecosystem-specific. For example, Python’s capabilities differ from Go’s, and Ubuntu’s capabilities differ from Alpine’s.
Default capabilities do not require to be online or have special configuration (other than having a vulnerability DB downloaded). Some capabilities may be conditionally supported, requiring additional configuration or online access to function.
Vulnerability scanning capabilities
Operating system support
Syft and Grype support several operating systems for package cataloging and vulnerability detection. The table below shows which OS versions are supported and where Grype’s vulnerability data comes from.
| Operating System | Supported Versions | Vunnel Provider | Data Source |
|---|---|---|---|
| Alpine Linux | 3.2+, edge | alpine | Alpine SecDB |
| Amazon Linux | 2, 2022, 2023 | amazon | Amazon Linux Security Center |
| Azure Linux | 3.0 | mariner | Microsoft CBL-Mariner OVAL |
| CentOS | 5, 6, 7, 8 | rhel | Red Hat Security Data API |
| Chainguard OS | rolling | chainguard | Chainguard Security |
| Debian | 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable | debian | Debian Security Tracker |
| Echo OS | rolling | echo | ECHO Security |
| CBL-Mariner | 1.0, 2.0 | mariner | Microsoft CBL-Mariner OVAL |
| MinimOS | rolling | minimos | MINIMOS Security |
| Oracle Linux | 5, 6, 7, 8, 9, 10 | oracle | Oracle Linux Security |
| Raspberry Pi OS | 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable | debian | Debian Security Tracker |
| Red Hat Enterprise Linux | 5, 6, 7, 8, 9, 10 EUS: 5.9, 6.4+, 7, 8.1, 8.2, 8.4, 8.6, 8.8, 9 |
rhel | Red Hat Security Data API |
| Rocky Linux | 5, 6, 7, 8, 9, 10 | rhel | Red Hat Security Data API |
| SUSE Linux Enterprise Server | 11, 12, 15 | sles | SUSE Security OVAL |
| Ubuntu | 12.04 (precise), 12.10 (quantal), 13.04 (raring), 14.04 (trusty), 14.10 (utopic), 15.04 (vivid), 15.10 (wily), 16.04 (xenial), 16.10 (yakkety), 17.04 (zesty), 17.10 (artful), 18.04 (bionic), 18.10 (cosmic), 19.04 (disco), 19.10 (eoan), 20.04 (focal), 20.10 (groovy), 21.04 (hirsute), 21.10 (impish), 22.04 (jammy), 22.10 (kinetic), 23.04 (lunar), 23.10 (mantic), 24.04 (noble), 24.10 (oracular), 25.04 (plucky), 25.10 | ubuntu | Ubuntu CVE Tracker |
| Wolfi | rolling | wolfi | Wolfi Security |
Data sources
Vulnerability data sources vary in the information they provide. Grype uses these capabilities when available to provide more accurate and comprehensive vulnerability detection:
-
Independent Disclosure: Whether the advisory discloses the vulnerability regardless of fix availability. Sources with this capability report vulnerabilities even when no fix is available yet.
-
Disclosure Date: Whether the data source provides the date when a vulnerability was first publicly disclosed. This helps you understand the timeline of vulnerability exposure.
-
Fix Versions: Whether the data source specifies which package versions contain fixes for a vulnerability. This allows Grype to determine if an installed package version is vulnerable or fixed.
-
Fix Date: Whether the advisory includes a date when the fix was made available. This helps you understand the timeline of vulnerability remediation.
Package analysis capabilities
The table below shows which ecosystems support package analysis and vulnerability scanning.
| Ecosystem | Cataloger + Evidence | Licenses | Dependencies | Files |
|---|---|---|---|---|
| ALPM | alpm-db-cataloger var/lib/pacman/local/**/desc |
|||
| APK | apk-db-cataloger lib/apk/db/installed |
|||
| Binary | binary-classifier-cataloger arangodb-binary arangosh bash-binarybash busybox-binarybusybox chrome-binarychrome consul-binaryconsul curl-binarycurl dart-binarydart erlang-alpine-binarybeam.smp erlang-binaryerlexec erlang-libraryliberts_internal.a ffmpeg-binaryffmpeg ffmpeg-librarylibav*, libswresample* fluent-bit-binaryfluent-bit gcc-binarygcc go-binarygo go-binary-hintVERSION* gzip-binarygzip haproxy-binaryhaproxy hashicorp-vault-binaryvault haskell-cabal-binarycabal haskell-ghc-binaryghc* haskell-stack-binarystack helmhelm httpd-binaryhttpd java-binaryjava java-jdb-binaryjdb jq-binaryjq julia-binarylibjulia-internal.so lighttpd-binarylighttpd mariadb-binary{mariadb,mysql} memcached-binarymemcached mysql-binarymysql nginx-binarynginx nodejs-binarynode openssl-binaryopenssl perl-binaryperl php-composer-binarycomposer* postgresql-binarypostgres proftpd-binaryproftpd pypy-binary-liblibpypy*.so* python-binarypython* python-binary-liblibpython*.so* redis-binaryredis-server ruby-binaryruby rust-standard-library-linuxlibstd-????????????????.so rust-standard-library-macoslibstd-????????????????.dylib sqlcipher-binarysqlcipher swipl-binaryswipl traefik-binarytraefik util-linux-binarygetopt wordpress-cli-binarywp xtrabackup-binaryxtrabackup xz-binaryxz zstd-binaryzstd |
|||
elf-binary-package-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) |
||||
pe-binary-package-cataloger *.dll, *.exe |
||||
| Bitnami | bitnami-cataloger /opt/bitnami/**/.spdx-*.spdx |
|||
| C/C++ | conan-cataloger conan.lock |
|||
conan-cataloger conanfile.txt |
||||
conan-info-cataloger conaninfo.txt |
||||
| Conda | conda-meta-cataloger conda-meta/*.json |
|||
| Dart | dart-pubspec-cataloger pubspec.yml, pubspec.yaml |
|||
dart-pubspec-lock-cataloger pubspec.lock |
||||
| DPKG | deb-archive-cataloger *.deb |
|||
dpkg-db-cataloger lib/dpkg/status, lib/dpkg/status.d/*, lib/opkg/info/*.control, lib/opkg/status |
||||
| Elixir | elixir-mix-lock-cataloger mix.lock |
|||
| Erlang | erlang-otp-application-cataloger *.app |
|||
erlang-rebar-lock-cataloger rebar.lock |
||||
| GitHub Actions | github-action-workflow-usage-cataloger .github/workflows/*.yaml, .github/workflows/*.yml |
|||
github-actions-usage-cataloger .github/actions/*/action.yml, .github/actions/*/action.yaml |
||||
github-actions-usage-cataloger .github/workflows/*.yaml, .github/workflows/*.yml |
||||
| Go | go-module-binary-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable, application/x-executable (mimetype) |
|||
go-module-file-cataloger go.mod |
||||
| Haskell | haskell-cataloger cabal.project.freeze |
|||
haskell-cataloger stack.yaml.lock |
||||
haskell-cataloger stack.yaml |
||||
| Homebrew | homebrew-cataloger Cellar/*/*/.brew/*.rb, Library/Taps/*/*/Formula/*.rb |
|||
| Java | graalvm-native-image-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) |
|||
java-archive-cataloger *.jar, *.war, *.ear, *.par, *.sar, *.nar, *.jpi, *.hpi, *.kar, *.lpkg |
||||
java-archive-cataloger *.zip |
||||
java-archive-cataloger *.tar, *.tar.gz, *.tgz, *.tar.bz, *.tar.bz2, *.tbz, *.tbz2, *.tar.br, *.tbr, *.tar.lz4, *.tlz4, *.tar.sz, *.tsz, *.tar.xz, *.txz, *.tar.zst, *.tzst, *.tar.zstd, *.tzstd |
||||
java-gradle-lockfile-cataloger gradle.lockfile* |
||||
java-jvm-cataloger release |
||||
java-pom-cataloger *pom.xml |
||||
| JavaScript | javascript-lock-cataloger pnpm-lock.yaml |
|||
javascript-lock-cataloger yarn.lock |
||||
javascript-lock-cataloger package-lock.json |
||||
javascript-package-cataloger package.json |
||||
| Linux | linux-kernel-cataloger kernel, kernel-*, vmlinux, vmlinux-*, vmlinuz, vmlinuz-*, lib/modules/**/*.ko |
|||
| Lua | lua-rock-cataloger *.rockspec |
|||
| .NET | dotnet-deps-binary-cataloger *.deps.json, *.dll, *.exe |
|||
dotnet-deps-cataloger *.deps.json |
||||
dotnet-packages-lock-cataloger packages.lock.json |
||||
dotnet-portable-executable-cataloger *.dll, *.exe |
||||
| Nix | nix-cataloger nix/var/nix/db/db.sqlite, nix/store/*, nix/store/*.drv |
|||
nix-store-cataloger nix/store/*, nix/store/*.drv |
||||
| OCaml | opam-cataloger *opam |
|||
| PHP | php-composer-installed-cataloger installed.json |
|||
php-composer-lock-cataloger composer.lock |
||||
php-interpreter-cataloger php*/**/*.so, php-fpm*, apache*/**/libphp*.so |
||||
php-pear-serialized-cataloger php/.registry/**/*.reg |
||||
php-pecl-serialized-cataloger php/.registry/.channel.*/*.reg |
||||
| Portage | portage-cataloger var/db/pkg/*/*/CONTENTS |
|||
| Prolog | swipl-pack-cataloger pack.pl |
|||
| Python | python-installed-package-cataloger *.egg-info, *dist-info/METADATA, *egg-info/PKG-INFO, *DIST-INFO/METADATA, *EGG-INFO/PKG-INFO |
|||
python-package-cataloger uv.lock |
||||
python-package-cataloger setup.py |
||||
python-package-cataloger Pipfile.lock |
||||
python-package-cataloger poetry.lock |
||||
python-package-cataloger *requirements*.txt |
||||
| R | r-package-cataloger DESCRIPTION |
|||
| RPM | rpm-archive-cataloger *.rpm |
|||
rpm-db-cataloger var/lib/rpmmanifest/container-manifest-2 |
||||
rpm-db-cataloger {var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite} |
||||
| Ruby | ruby-gemfile-cataloger Gemfile.lock |
|||
ruby-gemspec-cataloger *.gemspec |
||||
ruby-installed-gemspec-cataloger specifications/**/*.gemspec |
||||
| Rust | cargo-auditable-binary-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable, application/x-executable (mimetype) |
|||
rust-cargo-lock-cataloger Cargo.lock |
||||
| SBOM | sbom-cataloger *.syft.json, *.bom.*, *.bom, bom, *.sbom.*, *.sbom, sbom, *.cdx.*, *.cdx, *.spdx.*, *.spdx |
|||
| Snap | snap-cataloger snap/snapcraft.yaml |
|||
snap-cataloger snap/manifest.yaml |
||||
snap-cataloger doc/linux-modules-*/changelog.Debian.gz |
||||
snap-cataloger usr/share/snappy/dpkg.yaml |
||||
snap-cataloger meta/snap.yaml |
||||
| Swift | cocoapods-cataloger Podfile.lock |
|||
swift-package-manager-cataloger Package.resolved, .package.resolved |
||||
| Terraform | terraform-lock-cataloger .terraform.lock.hcl |
|||
| WordPress | wordpress-plugins-cataloger wp-content/plugins/*/*.php |
Legend
- (empty) : Not supported
Dependencies
We describe Syft’s ability to capture dependency information in the following dimentions:
-
Depth: How far into the true dependency graph we are able to discover package nodes.
-
direct: only captures dependencies explicitly declared by the project, but not necessarily dependencies of those dependencies -
transitive: all possible depths of dependencies are captured
-
-
Edges: Whether we are able to capture relationships between packages, and if so, describe the topology of those relationships.
-
flat: we can capture the root package relative to all other dependencies, but are unaware of relationships between dependencies (a simple star topology, where all dependencies point to the root package) -
complete: all possible relationships between packages are captured (the full dependency graph)
-
-
Kinds: The types of dependencies we are able to capture.
-
runtime: dependencies required for the package to function at runtime -
dev: dependencies required for development
-
Licenses
Indicates whether Syft can detect and catalog license information from package metadata. When supported, Syft extracts license declarations from package manifests, metadata files, or installed package databases.
Package manager features
Syft can extract various package manager metadata beyond basic package information:
-
Files: Whether Syft can catalog the list of files that are part of a package installation. This provides visibility into all files installed by the package manager.
-
Digests: Whether Syft can capture file checksums (digests/hashes) for individual files within a package. This enables integrity verification of installed files. Note: this is not necessarily the actual hash of the file, but instead the claims made by the package manager about those files. We capture actual file hashes in the files section of the SBOM.
-
Integrity Hash: Whether Syft can capture a single package-level integrity hash used by package managers to verify the package archive itself (for example, the https://go.dev/ref/mod#go-sum-files for go packages).
Next steps
- Explore capabilities for specific ecosystems using the navigation menu
- Learn about Syft package analysis
- Learn about Grype vulnerability scanning