SYSTEM Cited by 1 source
syft¶
syft is an open-source CLI tool maintained by Anchore (anchore/syft on GitHub) that generates Software Bill of Materials (SBOMs) from container images, filesystems, archives, or source directories. It emits industry-standard formats — systems/cyclonedx or systems/spdx — and is the canonical upstream producer for Anchore's grype vulnerability scanner.
What syft does¶
Given a target (Docker image / OCI image / filesystem path / tarball / package manifest), syft identifies every package it can detect across:
- OS packages: Debian/Ubuntu (
dpkg), RHEL/Fedora (rpm), Alpine (apk). - Language packages:
- Java / Kotlin / Scala (
.jar/.warscanning for embeddedpom.properties). - Python (
.dist-info/METADATA,.egg-info, pyproject, poetry/pipenv locks). - JavaScript / TypeScript (
package-lock.json,yarn.lock,pnpm-lock.yaml). - Go (
go.mod, Go binary embedded metadata). - Rust (
Cargo.lock). - Ruby (
Gemfile.lock,.gemspec). - PHP (
composer.lock), .NET, Dart, Erlang, Swift, etc. - Binary fingerprinting as a fallback for components without package metadata.
Output is one SBOM document describing all detected components + optionally dependency relationships.
Canonical wiki use (Zalando 2023-04-12)¶
Named explicitly as Zalando's SBOM generator:
"syft can generate an SBOM file that can be further parsed with grype to periodically scan the application's SBOMs for vulnerabilities." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game)
Zalando's pipeline extracts SBOMs from the container image (see concepts/container-extracted-sbom) via syft, publishes them to the data lake, and feeds the dataset to internal analytics + grype for CVE correlation.
Known limitations¶
- Shaded / uber-jar metadata loss (concepts/uber-jar-metadata-loss) — if a JVM build flattens all deps into one archive, syft sees only one jar, not the constituents.
- Statically-linked binaries (Go, Rust) with no package metadata require binary-fingerprint heuristics, which have lower fidelity.
- Distroless / scratch base images have no OS-package database to read; syft falls back to file-heuristic detection.
Seen in¶
- sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — canonical wiki mention. Zalando's SBOM pipeline uses syft on every deployed container image.
Related¶
- concepts/sbom-software-bill-of-materials — what syft produces.
- concepts/container-extracted-sbom — syft's default scan locus.
- concepts/uber-jar-metadata-loss — the JVM limitation.
- systems/grype — the consumer side of the Anchore pipeline.
- systems/cyclonedx · systems/spdx — the output formats.
- systems/docker — typical scan target.