// the find
anchore/syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Syft generates Software Bill of Materials (SBOMs) from container images and filesystems, outputting CycloneDX, SPDX, or its own JSON format. It's a production-ready tool used in CI/CD pipelines and pairs directly with Anchore's Grype for vulnerability scanning. Aimed at security engineers, DevOps teams, and anyone needing supply chain compliance.
- Ecosystem coverage is genuinely broad: Alpine apk, dpkg, RPM, Go binaries, Python, Java JARs, npm, Rust, .NET, Nix, and more — most tools only cover a subset of these well.
- Works as both a CLI and an importable Go library, so you can embed SBOM generation directly in your own tooling without shelling out.
- Supports signed SBOM attestations via in-toto, which is increasingly required for SLSA compliance and federal supply chain mandates.
- The test suite is substantial — integration tests cover specific regression cases (e.g., Java virtual paths, APK buffer sizes, Go binary arch detection), which gives confidence the catalogers actually work on edge cases.
- SBOM accuracy for interpreted languages without lock files (e.g., scanning a raw Python virtualenv or a fat JAR with shaded dependencies) can be hit or miss — you'll find missing or duplicated packages in real-world images.
- The Go library API is not stable and has broken between releases; if you embed syft as a library dependency, expect to chase API changes on upgrades.
- SPDX output has had ongoing compliance issues with certain validators and toolchains — the format support feels like it lags slightly behind the CLI's core cataloging quality.
- Scanning very large images is memory-hungry; there's no streaming or incremental mode, so analyzing multi-GB images in constrained CI environments can cause OOM kills.