* Vcpkg cataloger for vcpkg "Manifest Mode" Find and parse vcpkg-lock.json to get HEAD commit hash Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * just use local vcpkg git repo if it exists, clone it if it doesn't Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Config opt for git remote clones for vcpkg and README update Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * Look in vcpkg cache git repo for custom git repos Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add triplet to metadata and support overlay-ports from config file Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add PURL to packages (not sure if this is correct) Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * flatten structs in pkg module and move vcpkg structs to resolver Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * account for overriden versions in toplevel manifest Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * generate json schema for vcpkg metadata Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * test for basic vcpkg project dependencies for vcpkg registry to be pulled in add tree hashes and use correct git hash in builtin-baseline for helloworld test vcpkg-registry for testing that uses object hashes from syft repo fix broken tests Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * formatting Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * fix static-analysis violations Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix integration test failure Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * remove uneeded files from vcpkg test fixture and use custom registry Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * change vcpkg registry to anchore one Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * purl spec based on open PR Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * generate-json-schema Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * rebased and generate json schema 16.0.40 Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * address low hanging fruit Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * handle additional comments Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate to testdata Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * improve docs and testing Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix static analysis Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove license from pkg metadata Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix capabilities claim Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Syft
A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.
Features
- Generates SBOMs for container images, filesystems, archives (see the docs for a full list of supported scan targets)
- Supports dozens of packaging ecosystems (e.g. Alpine (apk), Debian (dpkg), RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET, and many more)
- Supports OCI, Docker, Singularity, and more image formats
- Works seamlessly with Grype for vulnerability scanning
- Multiple output formats (CycloneDX, SPDX, Syft JSON, and more) including the ability to convert between SBOM formats
- Create signed SBOM attestations using the in-toto specification
Tip
New to Syft? Check out the Getting Started guide for a walkthrough!
Installation
The quickest way to get up and going:
curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
Tip
See Installation docs for more ways to get Syft, including Homebrew, Docker, Scoop, Chocolatey, Nix, and more!
The basics
See the packages within a container image or directory:
# container image
syft alpine:latest
# directory
syft ./my-project
To get an SBOM, specify one or more output formats:
# SBOM to stdout
syft <image> -o cyclonedx-json
# Multiple SBOMs to files
syft <image> -o spdx-json=./spdx.json -o cyclonedx-json=./cdx.json
Tip
Check out the Getting Started guide to explore all of the capabilities and features.
Want to know all of the ins-and-outs of Syft? Check out the CLI docs, configuration docs, and JSON schema.
Contributing
We encourage users to help make these tools better by submitting issues when you find a bug or want a new feature. Check out our contributing overview and developer-specific documentation if you are interested in providing code contributions.
Syft development is sponsored by Anchore, and is released under the Apache-2.0 License.
The Syft logo by Anchore is licensed under CC BY 4.0
For commercial support options with Syft or Grype, please contact Anchore.
Come talk to us!
The Syft Team holds regular community meetings online. All are welcome to join to bring topics for discussion.
- Check the calendar for the next meeting date.
- Add items to the agenda (join this group for write access to the agenda)
- See you there!
