Packages and Binaries:

syft

This package contains a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

  • Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
  • Supports OCI, Docker and Singularity image formats
  • Linux distribution identification
  • Works seamlessly with Grype (a fast, modern vulnerability scanner)
  • Able to create signed SBOM attestations using the in-toto specification
  • Convert between SBOM formats, such as CycloneDX, SPDX, and Syft’s own format.

Installed size: 34.97 MB
How to install: sudo apt install syft

Dependencies:
  • libc6
syft
root@kali:~# syft -h
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems

Usage:
  syft [SOURCE] [flags]
  syft [command]

Examples:
  syft packages alpine:latest                                a summary of discovered packages
  syft packages alpine:latest -o json                        show all possible cataloging details
  syft packages alpine:latest -o cyclonedx                   show a CycloneDX formatted SBOM
  syft packages alpine:latest -o cyclonedx-json              show a CycloneDX JSON formatted SBOM
  syft packages alpine:latest -o spdx                        show a SPDX 2.3 Tag-Value formatted SBOM
  syft packages alpine:latest -o [email protected]                    show a SPDX 2.2 Tag-Value formatted SBOM
  syft packages alpine:latest -o spdx-json                   show a SPDX 2.3 JSON formatted SBOM
  syft packages alpine:latest -o [email protected]               show a SPDX 2.2 JSON formatted SBOM
  syft packages alpine:latest -vv                            show verbose debug information
  syft packages alpine:latest -o template -t my_format.tmpl  show a SBOM formatted according to given template file

  Supports the following image sources:
    syft packages yourrepo/yourimage:tag     defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
    syft packages path/to/a/file/or/dir      a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory

  You can also explicitly specify the scheme to use:
    syft packages docker:yourrepo/yourimage:tag            explicitly use the Docker daemon
    syft packages podman:yourrepo/yourimage:tag            explicitly use the Podman daemon
    syft packages registry:yourrepo/yourimage:tag          pull image directly from a registry (no container runtime required)
    syft packages docker-archive:path/to/yourimage.tar     use a tarball from disk for archives created from "docker save"
    syft packages oci-archive:path/to/yourimage.tar        use a tarball from disk for OCI archives (from Skopeo or otherwise)
    syft packages oci-dir:path/to/yourimage                read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
    syft packages singularity:path/to/yourimage.sif        read directly from a Singularity Image Format (SIF) container on disk
    syft packages dir:path/to/yourproject                  read directly from a path on disk (any directory)
    syft packages file:path/to/yourproject/file            read directly from a path on disk (any single file)


Available Commands:
  attest      Generate an SBOM as an attestation for the given [SOURCE] container image
  completion  Generate the autocompletion script for the specified shell
  convert     Convert between SBOM formats
  help        Help about any command
  login       Log in to a registry
  packages    Generate a package SBOM
  version     show the version

Flags:
      --base-path string         base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
      --catalogers stringArray   enable one or more package catalogers
  -c, --config string            application config file
      --exclude stringArray      exclude paths from being scanned using a glob expression
      --file string              file to write the default report output to (default is STDOUT)
  -h, --help                     help for syft
      --name string              set the name of the target being analyzed (DEPRECATED: use: source-name)
  -o, --output stringArray       report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-json spdx-tag-value spdx-json syft-table syft-text template] (default [syft-table])
      --platform string          an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
  -q, --quiet                    suppress all logging output
  -s, --scope string             selection of layers to catalog, options=[Squashed AllLayers] (default "Squashed")
      --source-name string       set the name of the target being analyzed
      --source-version string    set the name of the target being analyzed
  -t, --template string          specify the path to a Go template file
  -v, --verbose count            increase verbosity (-v = info, -vv = debug)
      --version                  version for syft

Use "syft [command] --help" for more information about a command.

Updated on: 2023-Aug-10