Packages and Binaries:

syft

This package contains a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

  • Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
  • Supports OCI, Docker and Singularity image formats
  • Linux distribution identification
  • Works seamlessly with Grype (a fast, modern vulnerability scanner)
  • Able to create signed SBOM attestations using the in-toto specification
  • Convert between SBOM formats, such as CycloneDX, SPDX, and Syft’s own format.

Installed size: 51.05 MB
How to install: sudo apt install syft

Dependencies:
  • libc6
syft
root@kali:~# syft -h
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems

Usage:
  syft [command]

Application Configuration:

  # the configuration file that was used to load application configuration (env: SYFT_CONFIG)
  config: ''
  
  # report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (env: SYFT_OUTPUT)
  output: 
    - 'syft-table'
  
  # file to write the default report output to (default is STDOUT) (env: SYFT_LEGACYFILE)
  legacyFile: ''
  
  format:
    # (env: SYFT_FORMAT_PRETTY)
    pretty:
    
    template:
      # specify the path to a Go template file (env: SYFT_FORMAT_TEMPLATE_PATH)
      path: ''
      
      # (env: SYFT_FORMAT_TEMPLATE_LEGACY)
      legacy: false
      
    json:
      # (env: SYFT_FORMAT_JSON_LEGACY)
      legacy: false
      
      # (env: SYFT_FORMAT_JSON_PRETTY)
      pretty: false
      
    spdx-json:
      # (env: SYFT_FORMAT_SPDX_JSON_PRETTY)
      pretty: false
      
    cyclonedx-json:
      # (env: SYFT_FORMAT_CYCLONEDX_JSON_PRETTY)
      pretty: false
      
    cyclonedx-xml:
      # (env: SYFT_FORMAT_CYCLONEDX_XML_PRETTY)
      pretty: false
      
  # whether to check for an application update on start up or not (env: SYFT_CHECK_FOR_APP_UPDATE)
  check-for-app-update: true
  
  # enable one or more package catalogers (env: SYFT_CATALOGERS)
  catalogers: []
  
  # set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source) (env: SYFT_DEFAULT_CATALOGERS)
  default-catalogers: []
  
  # add, remove, and filter the catalogers to be used (env: SYFT_SELECT_CATALOGERS)
  select-catalogers: []
  
  package:
    # (env: SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES)
    search-unindexed-archives: false
    
    # (env: SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES)
    search-indexed-archives: true
    
    # (env: SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
    exclude-binary-overlap-by-ownership: true
    
  file:
    metadata:
      # (env: SYFT_FILE_METADATA_SELECTION)
      selection: owned-by-package
      
      # (env: SYFT_FILE_METADATA_DIGESTS)
      digests: 
        - 'sha1'
        - 'sha256'
      
    content:
      # (env: SYFT_FILE_CONTENT_SKIP_FILES_ABOVE_SIZE)
      skip-files-above-size: 256000
      
      # (env: SYFT_FILE_CONTENT_GLOBS)
      globs: []
      
  # selection of layers to catalog, options=[squashed all-layers] (env: SYFT_SCOPE)
  scope: 'squashed'
  
  # number of cataloger workers to run in parallel (env: SYFT_PARALLELISM)
  parallelism: 1
  
  relationships:
    # include package-to-file relationships that indicate which files are owned by which packages. (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP)
    package-file-ownership: true
    
    # include package-to-package relationships that indicate one package is owned by another due to files claimed to be owned by one package are also evidence of another package's existence. (env: SYFT_RELATIONSHIPS_PACKAGE_FILE_OWNERSHIP_OVERLAP)
    package-file-ownership-overlap: true
    
  golang:
    # (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
    search-local-mod-cache-licenses: false
    
    # (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
    local-mod-cache-dir: ''
    
    # (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
    search-remote-licenses: false
    
    # (env: SYFT_GOLANG_PROXY)
    proxy: ''
    
    # (env: SYFT_GOLANG_NO_PROXY)
    no-proxy: ''
    
  java:
    # (env: SYFT_JAVA_USE_NETWORK)
    use-network: false
    
    # (env: SYFT_JAVA_MAVEN_URL)
    maven-url: ''
    
    # (env: SYFT_JAVA_MAX_PARENT_RECURSIVE_DEPTH)
    max-parent-recursive-depth: 0
    
  javascript:
    # (env: SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES)
    search-remote-licenses: false
    
    # (env: SYFT_JAVASCRIPT_NPM_BASE_URL)
    npm-base-url: ''
    
  linux-kernel:
    # (env: SYFT_LINUX_KERNEL_CATALOG_MODULES)
    catalog-modules: true
    
  python:
    # (env: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS)
    guess-unpinned-requirements: false
    
  registry:
    # (env: SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
    insecure-skip-tls-verify: false
    
    # (env: SYFT_REGISTRY_INSECURE_USE_HTTP)
    insecure-use-http: false
    
    auth: []
    
    # (env: SYFT_REGISTRY_CA_CERT)
    ca-cert: ''
    
  # an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: SYFT_PLATFORM)
  platform: ''
  
  source:
    # set the name of the target being analyzed (env: SYFT_SOURCE_NAME)
    name: ''
    
    # set the version of the target being analyzed (env: SYFT_SOURCE_VERSION)
    version: ''
    
    # base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory (env: SYFT_SOURCE_BASE_PATH)
    base-path: ''
    
    file:
      # (env: SYFT_SOURCE_FILE_DIGESTS)
      digests: 
        - 'sha256'
      
    image:
      # (env: SYFT_SOURCE_IMAGE_DEFAULT_PULL_SOURCE)
      default-pull-source: ''
      
  # exclude paths from being scanned using a glob expression (env: SYFT_EXCLUDE)
  exclude: []
  
  log:
    # suppress all logging output (env: SYFT_LOG_QUIET)
    quiet: false
    
    # increase verbosity (-v = info, -vv = debug) (env: SYFT_LOG_VERBOSITY)
    verbosity: 0
    
    # explicitly set the logging level (available: [error warn info debug trace]) (env: SYFT_LOG_LEVEL)
    level: warn
    
    # file path to write logs to (env: SYFT_LOG_FILE)
    file: ''
    
  dev:
    # capture resource profiling data (available: [cpu, mem]) (env: SYFT_DEV_PROFILE)
    profile: none
    
  # show catalogers that have been de-selected (env: SYFT_SHOW_HIDDEN)
  show-hidden: false
  
  # (env: SYFT_KEY)
  key:
  
  # (env: SYFT_PASSWORD)
  password:

Config Search Locations:
  - .syft.yaml
  - .syft/config.yaml
  - /root/.syft.yaml
  - /root/.config/syft/config.yaml
  - /etc/xdg/syft/config.yaml

Available Commands:
  attest      Generate an SBOM as an attestation for the given [SOURCE] container image
  cataloger   Show available catalogers and configuration
  completion  Generate the autocompletion script for the specified shell
  convert     Convert between SBOM formats
  help        Help about any command
  login       Log in to a registry
  scan        Generate an SBOM
  version     show version information

Flags:
      --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
  -c, --config string                             syft configuration file
      --exclude stringArray                       exclude paths from being scanned using a glob expression
      --file string                               file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
  -h, --help                                      help for syft
  -o, --output stringArray                        report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
      --override-default-catalogers stringArray   set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
      --platform string                           an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
  -q, --quiet                                     suppress all logging output
  -s, --scope string                              selection of layers to catalog, options=[squashed all-layers] (default "squashed")
      --select-catalogers stringArray             add, remove, and filter the catalogers to be used
      --source-name string                        set the name of the target being analyzed
      --source-version string                     set the version of the target being analyzed
  -t, --template string                           specify the path to a Go template file
  -v, --verbose count                             increase verbosity (-v = info, -vv = debug)
      --version                                   version for syft

Use "syft [command] --help" for more information about a command.

Updated on: 2024-Feb-16