whatisgithub

What is syft?

anchore/syft — explained in plain English

Analysis updated 2026-06-24

8,925GoAudience · ops devopsComplexity · 2/5LicenseSetup · easy

In one sentence

A command-line tool that scans container images or code folders and produces an inventory list of every package and library inside, in standard formats that security tools can read. Makes it straightforward to check software for known vulnerabilities.

Mindmap

mindmap
  root((Syft))
    What it does
      Generates SBOMs
      Scans containers
      Scans directories
    Package ecosystems
      Alpine and Debian
      Python and Go
      Java and npm
    Output formats
      CycloneDX JSON
      SPDX
    Features
      Signed attestations
      Pairs with Grype
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Docker container image to list every package it contains and export the result as a CycloneDX JSON file.

USE CASE 2

Generate a signed SBOM attestation for a software release to prove what packages are bundled inside.

USE CASE 3

Pair with Grype to automatically check all packages in a container for known CVEs.

USE CASE 4

Audit a directory of code to inventory all Go modules, Python packages, and npm packages present.

What is it built with?

GoDockerHomebrew

How does it compare?

anchore/syftteamhanko/hankocookiey/yearning
Stars8,9258,9258,943
LanguageGoGoGo
Setup difficultyeasymoderatehard
Complexity2/53/54/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min
Use freely for any purpose including commercial projects as long as you include the copyright notice.

So what is it?

Syft is a command-line tool written in Go that generates a Software Bill of Materials, commonly called an SBOM, for software you are running or distributing. An SBOM is essentially an inventory list: it catalogs all the packages and libraries bundled inside a container image or a folder of code, along with their versions and where they came from. Having that list makes it much easier to check whether any of those components have known security vulnerabilities. The tool works by scanning a container image, a directory, or an archive file and detecting what packages are present. It can identify components from a wide range of packaging systems: Alpine Linux packages, Debian packages, RPM packages (used by Red Hat-based Linux distributions), Go modules, Python packages, JavaScript packages, Java JARs, Ruby gems, Rust crates, PHP packages.NET assemblies, and more. You point it at something you want to inspect and it figures out what is inside. The output can be written in several standard SBOM formats, including CycloneDX and SPDX, which are the two most widely recognized in the industry. These formats can be read by other security tools. Syft is designed to pair directly with Grype, a separate vulnerability scanner from the same company, which takes a Syft SBOM and checks it against databases of known vulnerabilities. Running it is straightforward. The command syft alpine:latest scans the Alpine Linux container image and prints what it finds. Adding a format flag like -o cyclonedx-json writes the results as a file instead. The tool can also produce signed SBOM attestations, which are a way to cryptographically prove that a specific SBOM was generated for a specific piece of software. Syft is developed by Anchore, released under the Apache 2.0 license, and available via Homebrew, Docker, and a curl installer.

Copy-paste prompts

Prompt 1
Using Syft, generate a CycloneDX SBOM for a Docker image called myapp:latest and save it to sbom.json.
Prompt 2
I want to scan a local directory with Syft and get an SPDX-format software bill of materials. Show me the exact command.
Prompt 3
Set up a CI pipeline step that uses Syft to generate an SBOM and then uses Grype to check it for vulnerabilities.
Prompt 4
How do I create a signed SBOM attestation with Syft for a container image I am about to publish?

Frequently asked questions

What is syft?

A command-line tool that scans container images or code folders and produces an inventory list of every package and library inside, in standard formats that security tools can read. Makes it straightforward to check software for known vulnerabilities.

What language is syft written in?

Mainly Go. The stack also includes Go, Docker, Homebrew.

What license does syft use?

Use freely for any purpose including commercial projects as long as you include the copyright notice.

How hard is syft to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is syft for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.