Getting Started
Use Syft to generate your first SBOM from container images, directories, or archives.
SBOM Generation
Learn how to create a Software Bill of Materials (SBOMs) for container images, filesystems, and archives using Syft.
An SBOM, or Software Bill of Materials, is a detailed list of all the components, libraries, and modules that make up a piece of software.
For a developer, having an SBOM is crucial for tracking dependencies, quickly identifying known vulnerabilities within those components, and ensuring license compliance.
For a consumer or organization using the software, an SBOM provides transparency into the software’s supply chain, allowing them to assess potential security risks and understand what’s “under the hood.”
Syft is an open-source command-line tool and Go library. Its primary function is to scan container images, file systems, and archives to automatically generate a Software Bill of Materials, making it easier to understand the composition of software.
Supported Sources
Explore the different sources Syft can analyze including container images, OCI registries, directories, files, and archives.
Output Formats
Choose from multiple SBOM output formats including SPDX, CycloneDX, and Syft’s native JSON format.
Working with Syft JSON
Learn how to work with Syft’s native JSON format including querying with jq, extracting metadata, and understanding the SBOM structure.
Package Catalogers
Configure which package catalogers Syft uses to discover software components including language-specific and file-based catalogers.
File Selection
Control which files and directories Syft includes or excludes when generating SBOMs.
Using Templates
Create custom SBOM output formats using Go templates with available data fields to build tailored reports for specific tooling or compliance requirements.
Format Conversion
Convert existing SBOMs between different formats including SPDX and CycloneDX using Syft’s experimental conversion capabilities.
Attestation
Generate cryptographically signed SBOM attestations using in-toto and Sigstore to create, verify, and attach attestations to container images for supply chain security.