Marketplace sbom-syft
git clone https://github.com/aiskillstore/marketplace
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/agentsecops/sbom-syft" ~/.claude/skills/aiskillstore-marketplace-sbom-syft && rm -rf "$T"
skills/agentsecops/sbom-syft/SKILL.mdSyft SBOM Generator
Overview
Syft is a CLI tool and Go library for generating comprehensive Software Bills of Materials (SBOMs) from container images and filesystems. It provides visibility into packages and dependencies across 28+ ecosystems, supporting multiple SBOM formats (CycloneDX, SPDX) for vulnerability management, license compliance, and supply chain security.
Supported Ecosystems
Languages & Package Managers: Alpine (apk), C/C++ (conan), Dart (pub), Debian/Ubuntu (dpkg), Dotnet (deps.json), Go (go.mod), Java (JAR/WAR/EAR/Maven/Gradle), JavaScript (npm/yarn), PHP (composer), Python (pip/poetry/setup.py), Red Hat (RPM), Ruby (gem), Rust (cargo), Swift (cocoapods)
Container & System: OCI images, Docker images, Singularity, container layers, Linux distributions
Quick Start
Generate SBOM for container image:
# Using Docker docker run --rm -v $(pwd):/out anchore/syft:latest <image> -o cyclonedx-json=/out/sbom.json # Local installation syft <image> -o cyclonedx-json=sbom.json # Examples syft alpine:latest -o cyclonedx-json syft docker.io/nginx:latest -o spdx-json syft dir:/path/to/project -o cyclonedx-json
Core Workflows
Workflow 1: Container Image SBOM Generation
For creating SBOMs of container images:
- Identify target container image (local or registry)
- Run Syft to generate SBOM:
syft <image-name:tag> -o cyclonedx-json=sbom-cyclonedx.json - Optionally generate multiple formats:
syft <image-name:tag> \ -o cyclonedx-json=sbom-cyclonedx.json \ -o spdx-json=sbom-spdx.json \ -o syft-json=sbom-syft.json - Store SBOM artifacts with image for traceability
- Use SBOM for vulnerability scanning with Grype or other tools
- Track SBOM versions alongside image releases
Workflow 2: CI/CD Pipeline Integration
Progress: [ ] 1. Add Syft to build pipeline after image creation [ ] 2. Generate SBOM in standard format (CycloneDX or SPDX) [ ] 3. Store SBOM as build artifact [ ] 4. Scan SBOM for vulnerabilities (using Grype or similar) [ ] 5. Fail build on critical vulnerabilities or license violations [ ] 6. Publish SBOM alongside container image [ ] 7. Integrate with vulnerability management platform
Work through each step systematically. Check off completed items.
Workflow 3: Filesystem and Application Scanning
For generating SBOMs from source code or filesystems:
- Navigate to project root or specify path
- Scan directory structure:
syft dir:/path/to/project -o cyclonedx-json=app-sbom.json - Review detected packages and dependencies
- Validate package detection accuracy (check for false positives/negatives)
- Configure exclusions if needed (using
).syft.yaml - Generate SBOM for each release version
- Track dependency changes between versions
Workflow 4: SBOM Analysis and Vulnerability Scanning
Combining SBOM generation with vulnerability assessment:
- Generate SBOM with Syft:
syft <target> -o cyclonedx-json=sbom.json - Scan SBOM for vulnerabilities using Grype:
grype sbom:sbom.json -o json --file vulnerabilities.json - Review vulnerability findings by severity
- Filter by exploitability and fix availability
- Prioritize remediation based on:
- CVSS score
- Active exploitation status
- Fix availability
- Dependency depth
- Update dependencies and regenerate SBOM
- Re-scan to verify vulnerability remediation
Workflow 5: Signed SBOM Attestation
For creating cryptographically signed SBOM attestations:
- Install cosign (for signing):
# macOS brew install cosign # Linux wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 chmod +x cosign-linux-amd64 mv cosign-linux-amd64 /usr/local/bin/cosign - Generate SBOM:
syft <image> -o cyclonedx-json=sbom.json - Create attestation and sign:
cosign attest --predicate sbom.json --type cyclonedx <image> - Verify attestation:
cosign verify-attestation --type cyclonedx <image> - Store signature alongside SBOM for provenance verification
Output Formats
Syft supports multiple SBOM formats for different use cases:
| Format | Use Case | Specification |
|---|---|---|
| Modern SBOM standard, wide tool support | CycloneDX 1.4+ |
| CycloneDX XML variant | CycloneDX 1.4+ |
| Linux Foundation standard | SPDX 2.3 |
| SPDX text format | SPDX 2.3 |
| Syft native format (most detail) | Syft-specific |
| Human-readable console output | Syft-specific |
| GitHub dependency submission | GitHub-specific |
| Custom Go template output | User-defined |
Specify with
-osyft <target> -o cyclonedx-json=output.json
Configuration
Create
.syft.yaml# Cataloger configuration package: cataloger: enabled: true scope: all-layers # Options: all-layers, squashed search: unindexed-archives: false indexed-archives: true # Exclusions exclude: - "**/test/**" - "**/node_modules/**" - "**/.git/**" # Registry authentication registry: insecure-skip-tls-verify: false auth: - authority: registry.example.com username: user password: pass # Output format defaults output: cyclonedx-json # Log level log: level: warn # Options: error, warn, info, debug, trace
Common Patterns
Pattern 1: Multi-Architecture Image Scanning
Scan all architectures of multi-platform images:
# Scan specific architecture syft --platform linux/amd64 <image> -o cyclonedx-json=sbom-amd64.json syft --platform linux/arm64 <image> -o cyclonedx-json=sbom-arm64.json # Or scan manifest list (all architectures) syft <image> --platform all -o cyclonedx-json
Pattern 2: Private Registry Authentication
Access images from private registries:
# Using Docker credentials docker login registry.example.com syft registry.example.com/private/image:tag -o cyclonedx-json # Using environment variables export SYFT_REGISTRY_AUTH_AUTHORITY=registry.example.com export SYFT_REGISTRY_AUTH_USERNAME=user export SYFT_REGISTRY_AUTH_PASSWORD=pass syft registry.example.com/private/image:tag -o cyclonedx-json # Using config file (recommended) # Add credentials to .syft.yaml
Pattern 3: OCI Archive Scanning
Scan saved container images (OCI or Docker format):
# Save image to archive docker save nginx:latest -o nginx.tar # Scan archive syft oci-archive:nginx.tar -o cyclonedx-json=sbom.json # Or scan Docker archive syft docker-archive:nginx.tar -o cyclonedx-json=sbom.json
Pattern 4: Comparing SBOMs Between Versions
Track dependency changes across releases:
# Generate SBOMs for two versions syft myapp:v1.0 -o syft-json=sbom-v1.0.json syft myapp:v2.0 -o syft-json=sbom-v2.0.json # Compare with jq jq -s '{"added": (.[1].artifacts - .[0].artifacts), "removed": (.[0].artifacts - .[1].artifacts)}' \ sbom-v1.0.json sbom-v2.0.json
Pattern 5: Filtering SBOM Output
Extract specific package information:
# Generate detailed SBOM syft <target> -o syft-json=full-sbom.json # Extract only Python packages cat full-sbom.json | jq '.artifacts[] | select(.type == "python")' # Extract packages with specific licenses cat full-sbom.json | jq '.artifacts[] | select(.licenses[].value == "MIT")' # Count packages by ecosystem cat full-sbom.json | jq '.artifacts | group_by(.type) | map({type: .[0].type, count: length})'
Security Considerations
- Sensitive Data Handling: SBOMs may contain internal package names and versions. Store SBOMs securely and restrict access to authorized personnel
- Access Control: Limit SBOM generation and access to build systems. Use read-only credentials for registry access
- Audit Logging: Log SBOM generation events, distribution, and access for compliance tracking
- Compliance: SBOMs support compliance with Executive Order 14028 (Software Supply Chain Security), NIST guidelines, and OWASP recommendations
- Safe Defaults: Use signed attestations for production SBOMs to ensure integrity and provenance
Integration Points
CI/CD Integration
GitHub Actions:
- name: Generate SBOM with Syft uses: anchore/sbom-action@v0 with: image: ${{ env.IMAGE_NAME }}:${{ github.sha }} format: cyclonedx-json output-file: sbom.json - name: Upload SBOM uses: actions/upload-artifact@v3 with: name: sbom path: sbom.json
GitLab CI:
sbom-generation: image: anchore/syft:latest script: - syft $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA -o cyclonedx-json=sbom.json artifacts: reports: cyclonedx: sbom.json
Jenkins:
stage('Generate SBOM') { steps { sh 'syft ${IMAGE_NAME}:${BUILD_NUMBER} -o cyclonedx-json=sbom.json' archiveArtifacts artifacts: 'sbom.json' } }
Vulnerability Scanning
Integrate with Grype for vulnerability scanning:
# Generate SBOM and scan in one pipeline syft <target> -o cyclonedx-json=sbom.json grype sbom:sbom.json
SBOM Distribution
Attach SBOMs to container images:
# Using ORAS oras attach <image> --artifact-type application/vnd.cyclonedx+json sbom.json # Using Docker manifest # Store SBOM as additional layer or separate artifact
Advanced Usage
Custom Template Output
Create custom output formats using Go templates:
# Create template file cat > custom-template.tmpl <<'EOF' {{- range .Artifacts}} {{.Name}}@{{.Version}} ({{.Type}}) {{- end}} EOF # Use template syft <target> -o template -t custom-template.tmpl
Scanning Specific Layers
Analyze specific layers in container images:
# Squashed view (default - final filesystem state) syft <image> --scope squashed -o cyclonedx-json # All layers (every layer's packages) syft <image> --scope all-layers -o cyclonedx-json
Environment Variable Configuration
Configure Syft via environment variables:
export SYFT_SCOPE=all-layers export SYFT_OUTPUT=cyclonedx-json export SYFT_LOG_LEVEL=debug export SYFT_EXCLUDE="**/test/**,**/node_modules/**" syft <target>
Troubleshooting
Issue: Missing Packages in SBOM
Solution: Enable all-layers scope or check for package manager files:
syft <target> --scope all-layers -o syft-json
Verify package manifest files exist (package.json, requirements.txt, go.mod, etc.)
Issue: Registry Authentication Failure
Solution: Ensure Docker credentials are configured or use explicit auth:
docker login <registry> # Then run syft syft <registry>/<image> -o cyclonedx-json
Issue: Large SBOM Size
Solution: Use squashed scope and exclude test/dev dependencies:
# In .syft.yaml package: cataloger: scope: squashed exclude: - "**/test/**" - "**/node_modules/**" - "**/.git/**"
Issue: Slow Scanning Performance
Solution: Disable unindexed archive scanning for faster results:
# In .syft.yaml package: search: unindexed-archives: false
License Compliance
Extract license information from SBOM:
# Generate SBOM syft <target> -o syft-json=sbom.json # Extract unique licenses cat sbom.json | jq -r '.artifacts[].licenses[].value' | sort -u # Find packages with specific licenses cat sbom.json | jq '.artifacts[] | select(.licenses[].value | contains("GPL"))' # Generate license report cat sbom.json | jq -r '.artifacts[] | "\(.name):\(.licenses[].value)"' | sort
Vulnerability Management Workflow
Complete workflow integrating SBOM generation with vulnerability management:
Progress: [ ] 1. Generate SBOM for application/container [ ] 2. Scan SBOM for known vulnerabilities [ ] 3. Classify vulnerabilities by severity and exploitability [ ] 4. Check for available patches and updates [ ] 5. Update vulnerable dependencies [ ] 6. Regenerate SBOM after updates [ ] 7. Re-scan to confirm vulnerability remediation [ ] 8. Document accepted risks for unfixable vulnerabilities [ ] 9. Schedule periodic SBOM regeneration and scanning
Work through each step systematically. Check off completed items.