Projects
Anchore Open Source Tools
We maintain three popular command-line tools, some libraries, and supporting utilities. Most are written in Go, with a few in Python. They are all released under the Apache-2.0 license. For the full list, see our GitHub org.
Syft
SBOM Generator and library
Syft (pronounced like sift) is an open-source command-line tool and Go library. Its primary function is to scan container images, file systems, and archives to automatically generate a Software Bill of Materials, making it easier to understand the composition of software.
Grype
Vulnerability Scanner
Grype (pronounced like hype) is an open-source vulnerability scanner specifically designed to analyze container images and filesystems. It works by comparing the software components it finds against a database of known vulnerabilities, providing a report of potential risks so they can be addressed.
Grant
License Scanner
Grant is an open-source command-line tool designed to discover and report on the software licenses present in container images, SBOM documents, or filesystems. It helps users understand the licenses of their software dependencies and can check them against user-defined policies to ensure compliance.
Installing the Tools
The tools are available in many common distribution channels. The full list of official and community maintained packages can be found on the installation page.
Using the Tools
We have “Getting Started” user guides for SBOM Generation with Syft, Vulnerability Scanning with Grype, and License Scanning.
Developing
Developers also have Contribution Guides for all of our open source tools and libraries.