diff --git a/Makefile b/Makefile index 0caeb4cc0..fbcd38382 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ SUCCESS := $(BOLD)$(GREEN) COVERAGE_THRESHOLD := 68 # CI cache busting values; change these if you want CI to not use previous stored cache COMPARE_CACHE_BUSTER="f7e689d76a9" -INTEGRATION_CACHE_BUSTER="789bacdf" +INTEGRATION_CACHE_BUSTER="23493ba738c3d2f" CLI_CACHE_BUSTER="789bacdf" BOOTSTRAP_CACHE="789bacdf" diff --git a/README.md b/README.md index 83d1f2f6e..6210b6228 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # syft -[![Static Analysis + Unit + Integration](https://github.com/anchore/syft/workflows/Static%20Analysis%20+%20Unit%20+%20Integration/badge.svg)](https://github.com/anchore/syft/actions?query=workflow%3A%22Static+Analysis+%2B+Unit+%2B+Integration%22) -[![Acceptance](https://github.com/anchore/syft/workflows/Acceptance/badge.svg)](https://github.com/anchore/syft/actions?query=workflow%3AAcceptance) +[![Validations](https://github.com/anchore/syft/workflows/validations.yaml/badge.svg)](https://github.com/anchore/syft/workflows/validations.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/anchore/syft)](https://goreportcard.com/report/github.com/anchore/syft) [![GitHub release](https://img.shields.io/github/release/anchore/syft.svg)](https://github.com/anchore/syft/releases/latest) [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/anchore/syft/blob/main/LICENSE) @@ -22,28 +21,28 @@ If you encounter an issue, please [let us know using the issue tracker](https:// To generate an SBOM for a Docker or OCI image: ``` -syft +syft packages ``` The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide `--scope all-layers`: ``` -syft --scope all-layers +syft packages --scope all-layers ``` Syft can generate a SBOM from a variety of sources: ``` # catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands) -syft path/to/image.tar +syft packages path/to/image.tar # catalog a directory -syft path/to/dir +syft packages path/to/dir ``` The output format for Syft is configurable as well: ``` -syft -o +syft packages -o ``` Where the `format`s available are: @@ -93,19 +92,28 @@ quiet: false # same as SYFT_CHECK_FOR_APP_UPDATE env var check-for-app-update: true +# cataloging packages is exposed through the packages and power-user subcommands packages: + # enable/disable cataloging of packages + # SYFT_PACKAGES_CATALOGING_ENABLED env var + cataloging-enabled: true + # the search space to look for packages (options: all-layers, squashed) - # same as -s ; SYFT_SCOPE env var + # same as -s ; SYFT_PACKAGES_SCOPE env var scope: "squashed" +# cataloging file metadata is exposed through the power-user subcommand file-metadata: - # enable/disable cataloging if file metadata + # enable/disable cataloging of file metadata + # SYFT_FILE_METADATA_CATALOGING_ENABLED env var cataloging-enabled: true # the search space to look for file metadata (options: all-layers, squashed) + # SYFT_FILE_METADATA_SCOPE env var scope: "squashed" # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1") + # SYFT_FILE_METADATA_DIGESTS env var digests: ["sha256"] log: @@ -121,6 +129,7 @@ log: # same as SYFT_LOG_FILE env var file: "" +# uploading package SBOM is exposed through the packages subcommand anchore: # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+) # same as -H ; SYFT_ANCHORE_HOST env var