Syft is a software bill of materials (SBOM) generator for container images and filesystems. It catalogues all packages, libraries, and dependencies it finds and produces output in a range of standard SBOM formats. Its output can be consumed directly by grype for vulnerability scanning.

• Generates SBOMs for container images, directories, and archives
• Supports SPDX, CycloneDX, and Syft-native JSON formats
• Works with images from Docker, GHCR, and other registries
• Output can be piped directly into grype

No setup required. Run from the shell.

syft <image-name>:<tag>                # e.g. syft nginx:latest
syft <image-name> -o json             # JSON output

syft dir:<path>                        # e.g. syft dir:.

syft <image-name> -o spdx-json > /output/sbom.spdx.json
syft <image-name> -o cyclonedx-json > /output/sbom.cyclonedx.json
syft <image-name> -o syft-json > /output/sbom.syft.json

syft <image-name> -o json | grype

syft docker-archive:<path/to/image.tar>
syft oci-archive:<path/to/image.tar>

• Syft catalogues packages based on package manager metadata (e.g. package.json, go.sum, requirements.txt). Binaries compiled from source or installed without a package manager will not appear in the SBOM.
• SBOM accuracy depends on how complete the package metadata is within the image or directory being scanned. Distroless or scratch-based images may produce sparse results.
• CycloneDX and SPDX output formats have version differences — check which version your downstream tooling expects before piping output into other tools.

• GitHub Repo