syft

1.9.0 Opens a new window with list of versions in this module.

CLI tool and library for generating a Software Bill of Materials from container images and filesystems For more information about how to use this package see README

Latest version published 17 days ago

GitHub

Package Health Score

91 / 100

security
No known security issues
popularity
Recognized
maintenance
Healthy
community
Active

Explore Similar Packages

Popularity

Recognized

Imported By: 0
GitHub Stars: 5.74K
Forks: 527
Contributors: 140

Usage Popularity

Based on project statistics from the GitHub repository for the Golang package syft, we found that it has been 5,744 times.

The popularity score for Golang modules is calculated based on the number of stars that the project has on GitHub as well as the number of imports by other modules.

Security

No known security issues

Security risks

Direct Vulnerabilities: 0
C
0
H
0
M
0
L

Indirect Vulnerabilities: Check with Snyk

Release Date

Jul 11, 2024

License

Apache-2.0

Security Policy

Yes

You can connect your project's repository to Snyk to stay up to date on security alerts and receive automatic fix pull requests.

Keep your project free of vulnerabilities with Snyk

Maintenance

Healthy

Commit Frequency

Open Issues: 308
Open PR: 22
Last Release: 17 days ago
Last Commit: 26 days ago

Further analysis of the maintenance status of github.com/anchore/syft based on released golang versions cadence, the repository activity, and other data points determined that its maintenance is Healthy.

We found that github.com/anchore/syft demonstrates a positive version release cadence with at least one new version released in the past 3 months.

As a healthy sign for on-going project maintenance, we found that the GitHub repository had at least 1 pull request or issue interacted with by the community.

Community

Active

Readme.md: Yes
Contributing.md: Yes
Code of Conduct: No
Contributors: 140
Funding: No

A good and healthy external contribution signal for github.com/anchore/syft project, which invites more than one hundred open source maintainers to collaborate on the repository.

We found a way for you to contribute to the project! Looks like github.com/anchore/syft is missing a Code of Conduct.

Embed Package Health Score Badge

Keep your project healthy

Check your go.mod

Ensure all the packages you're using are healthy and well-maintained

Readme

Cute pink owl syft logo

Syft

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

syft-demo

Introduction

Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.

Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. For commercial support options with Syft or Grype, please contact Anchore.

Features

Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
Supports OCI, Docker and Singularity image formats
Linux distribution identification
Works seamlessly with Grype (a fast, modern vulnerability scanner)
Able to create signed SBOM attestations using the in-toto specification
Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format.

Installation

Syft binaries are provided for Linux, macOS and Windows.

Homebrew

brew install syft

Scoop

scoop install syft

Chocolatey

The chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team

choco install syft -y

Nix

Note: Nix packaging of Syft is community maintained. Syft is available in the stable channel since NixOS 22.05.

nix-env -i syft

... or, just try it out in an ephemeral nix shell:

nix-shell -p syft

Getting started

SBOM

To generate an SBOM for a container image:

syft <img>

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft <img> --scope all-layers

Output formats

The output format for Syft is configurable as well using the -o (or --output) option:

syft <img> -o

Where the formats available are:

syft-json: Use this to get as much information out of Syft as possible!
syft-text: A row-oriented, human-and-machine-friendly output.
cyclonedx-xml: A XML report conforming to the CycloneDX 1.6 specification.
cyclonedx-xml@1.5: A XML report conforming to the CycloneDX 1.5 specification.
cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.
cyclonedx-json@1.5: A JSON report conforming to the CycloneDX 1.5 specification.
spdx-tag-value: A tag-value formatted report conforming to the SPDX 2.3 specification.
spdx-tag-value@2.2: A tag-value formatted report conforming to the SPDX 2.2 specification.
spdx-json: A JSON report conforming to the SPDX 2.3 JSON Schema.
spdx-json@2.2: A JSON report conforming to the SPDX 2.2 JSON Schema.
github-json: A JSON report conforming to GitHub's dependency snapshot format.
syft-table: A columnar summary (default).
template: Lets the user specify the output format. See "Using templates" below.

Note that flags using the @ can be used for earlier versions of each specification as well.

Supported Ecosystems

Alpine (apk)
C (conan)
C++ (conan)
Dart (pubs)
Debian (dpkg)
Dotnet (deps.json)
Objective-C (cocoapods)
Elixir (mix)
Erlang (rebar3)
Go (go.mod, Go binaries)
Haskell (cabal, stack)
Java (jar, ear, war, par, sar, nar, native-image)
JavaScript (npm, yarn)
Jenkins Plugins (jpi, hpi)
Linux kernel archives (vmlinz)
Linux kernel modules (ko)
Nix (outputs in /nix/store)
PHP (composer)
Python (wheel, egg, poetry, requirements.txt)
Red Hat (rpm)
Ruby (gem)
Rust (cargo.lock)
Swift (cocoapods, swift-package-manager)
Wordpress plugins

Documentation

Our wiki contains further details on the following topics:

Syft Team Meetings

The Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion.

Check the calendar for the next meeting date.
Add items to the agenda (join this group for write access to the agenda)
See you there!

FAQs

What is syft?

CLI tool and library for generating a Software Bill of Materials from container images and filesystems. Visit Snyk Advisor to see a full health score report for syft, including popularity, security, maintenance & community analysis.

Is syft popular?

The golang package syft receives a total of ? weekly downloads. As such, syft popularity was classified as a recognized. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is syft well maintained?

We found that syft demonstrated a healthy version release cadence and project activity. It has a community of 140 open source contributors collaborating on the project. See the full package health analysis to learn more about the package maintenance status.

Is syft safe to use?

The golang package syft was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.

Last updated on 26 July-2024, at 01:52 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP