mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 08:23:15 +01:00
c732052cf1
* feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.13 to 0.5.14 (#4089) Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.5.13 to 0.5.14. - [Release notes](https://github.com/gkampitakis/go-snaps/releases) - [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.13...v0.5.14) --- updated-dependencies: - dependency-name: github.com/gkampitakis/go-snaps dependency-version: 0.5.14 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump modernc.org/sqlite from 1.38.1 to 1.38.2 (#4088) Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.38.1 to 1.38.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.1...v1.38.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/docker/docker (#4092) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.2.2+incompatible to 28.3.3+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v28.2.2...v28.3.3) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.3.3+incompatible dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/anchore/stereoscope (#4091) Bumps [github.com/anchore/stereoscope](https://github.com/anchore/stereoscope) from 0.1.7-0.20250716200927-94c6f92877d4 to 0.1.7. - [Release notes](https://github.com/anchore/stereoscope/releases) - [Changelog](https://github.com/anchore/stereoscope/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/stereoscope/commits/v0.1.7) --- updated-dependencies: - dependency-name: github.com/anchore/stereoscope dependency-version: 0.1.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * migrate to get.anchore.io (#4095) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update anchore dependencies (#4098) * chore(deps): update anchore dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * address reader close operations Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update anchore dependencies (#4104) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.4 to 3.29.5 (#4096) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.4 to 3.29.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](4e828ff8d4...51f77329af) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update tools to latest versions (#4108) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update CPE dictionary index (#4112) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update tools to latest versions (#4111) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/cache in /.github/actions/bootstrap (#4120) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](5a3ec84eff...0400d5f644) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/cache from 4.2.3 to 4.2.4 (#4119) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](5a3ec84eff...0400d5f644) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump docker/login-action from 3.4.0 to 3.5.0 (#4115) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](74a5d14239...184bdaa072) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: nondeterministic Java archive cataloging and improve groupID (#4118) Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add binary classifier for hashicorp vault (#4121) * add binary classifier for hashicorp vault The Go Binary Cataloger isn't able to parse the version out of the binary shipped in the DockerHub images of hashicorp/vault because the version of the main module isn't set in the binary. Therefore, add a binary classifier cataloger for this binary. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore: add test fixtures, update vault Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: set binary classifier package type based on PURL Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: use github.com/hashicorp/vault as package name Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: update tests Signed-off-by: Keith Zantow <kzantow@gmail.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 (#4124) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.29.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](51f77329af...76621b61de) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump golang.org/x/mod from 0.26.0 to 0.27.0 (#4123) Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.26.0 to 0.27.0. - [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 (#4122) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.42.0 to 0.43.0. - [Commits](https://github.com/golang/net/compare/v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update CPE dictionary index (#4126) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore: update GoReleaser configurations (#4128) Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4130) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](11bd71901b...08c6903cd8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: closed reader during java binary detection (#4129) Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: support multiple letters in openssl patch version (#4106) Signed-off-by: honigbot <thesoftbear@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 (#4134) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.8 to 3.29.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](76621b61de...df559355d5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: update syft license construction to be able to look up by URL (#4132) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add package supplier flag (#4131) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 (#4135) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.1.1 to 0.1.2. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](f52a838cfa...5ca5fc7a47) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add support for authors, maintainers, and contributors in package.json. (#4003) Fixes #2250 --------- Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat(cpegentereate): added test for the addBinaryPackageDigitVariation function Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * docs(cpegenerate): made the comment more verbose Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * nit: separate digit variation concerns from case of use Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Signed-off-by: honigbot <thesoftbear@gmail.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Parthib Mukherjee <109328510+hawkaii@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: anchore-actions-token-generator[bot] <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: honigbot <34426443+honigbot@users.noreply.github.com> Co-authored-by: Alan Pope <alan.pope@anchore.com>
Syft
A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.
Introduction
Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.
Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. For commercial support options with Syft or Grype, please contact Anchore.
Features
- Generates SBOMs for container images, filesystems, archives, and more to discover packages and libraries
- Supports OCI, Docker and Singularity image formats
- Linux distribution identification
- Works seamlessly with Grype (a fast, modern vulnerability scanner)
- Able to create signed SBOM attestations using the in-toto specification
- Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format.
Installation
Syft binaries are provided for Linux, macOS and Windows.
Recommended
curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
Install script options:
-b: Specify a custom installation directory (defaults to./bin)-d: More verbose logging levels (-dfor debug,-ddfor trace)-v: Verify the signature of the downloaded artifact before installation (requirescosignto be installed)
Homebrew
brew install syft
Scoop
scoop install syft
Chocolatey
The chocolatey distribution of Syft is community-maintained and not distributed by the Anchore team
choco install syft -y
Nix
Note: Nix packaging of Syft is community maintained. Syft is available in the stable channel since NixOS 22.05.
nix-env -i syft
... or, just try it out in an ephemeral nix shell:
nix-shell -p syft
Getting started
SBOM
To generate an SBOM for a container image:
syft <image>
The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:
syft <image> --scope all-layers
Output formats
The output format for Syft is configurable as well using the -o (or --output) option:
syft <image> -o <format>
Where the formats available are:
syft-json: Use this to get as much information out of Syft as possible!syft-text: A row-oriented, human-and-machine-friendly output.cyclonedx-xml: A XML report conforming to the CycloneDX 1.6 specification.cyclonedx-xml@1.5: A XML report conforming to the CycloneDX 1.5 specification.cyclonedx-json: A JSON report conforming to the CycloneDX 1.6 specification.cyclonedx-json@1.5: A JSON report conforming to the CycloneDX 1.5 specification.spdx-tag-value: A tag-value formatted report conforming to the SPDX 2.3 specification.spdx-tag-value@2.2: A tag-value formatted report conforming to the SPDX 2.2 specification.spdx-json: A JSON report conforming to the SPDX 2.3 JSON Schema.spdx-json@2.2: A JSON report conforming to the SPDX 2.2 JSON Schema.github-json: A JSON report conforming to GitHub's dependency snapshot format.syft-table: A columnar summary (default).template: Lets the user specify the output format. See "Using templates" below.
Note that flags using the @ can be used for earlier versions of each specification as well.
Supported Ecosystems
- Alpine (apk)
- Bitnami packages
- C (conan)
- C++ (conan)
- Dart (pubs)
- Debian (dpkg)
- Dotnet (deps.json)
- Objective-C (cocoapods)
- Elixir (mix)
- Erlang (rebar3)
- Go (go.mod, Go binaries)
- GitHub (workflows, actions)
- Haskell (cabal, stack)
- Java (jar, ear, war, par, sar, nar, native-image)
- JavaScript (npm, yarn)
- Jenkins Plugins (jpi, hpi)
- Linux kernel archives (vmlinz)
- Linux kernel modules (ko)
- Nix (outputs in /nix/store)
- PHP (composer, PECL, Pear)
- Python (wheel, egg, poetry, requirements.txt, uv)
- Red Hat (rpm)
- Ruby (gem)
- Rust (cargo.lock, auditable binary)
- Swift (cocoapods, swift-package-manager)
- Wordpress plugins
- Terraform providers (.terraform.lock.hcl)
Documentation
Our wiki contains further details on the following topics:
- Supported Sources
- File Selection
- Excluding file paths
- Output formats
- Package Cataloger Selection
- Using templates
- Multiple outputs
- Private Registry Authentication
- Attestation (experimental)
- Configuration
Contributing
Check out our contributing guide and developer docs.
Syft Team Meetings
The Syft Team hold regular community meetings online. All are welcome to join to bring topics for discussion.
- Check the calendar for the next meeting date.
- Add items to the agenda (join this group for write access to the agenda)
- See you there!
