Syft Logo

About Syft

Syft is a powerful CLI tool and Go library designed for generating Software Bill of Materials (SBOMs) from various sources, including container images, filesystems, and archives. It helps developers and security teams gain transparency into the components of their software, which is crucial for identifying potential vulnerabilities and ensuring compliance. This tool supports a wide array of packaging ecosystems, such as Alpine, Debian, RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, and .NET, among many others. It also works with popular image formats like OCI, Docker, and Singularity. Syft is particularly valuable when integrated with vulnerability scanners like Grype, enabling comprehensive security analysis of software artifacts. Syft is ideal for developers, DevOps engineers, security professionals, and anyone involved in software supply chain security. It provides multiple output formats, including CycloneDX, SPDX, and Syft JSON, and can even convert between SBOM formats. Its ability to create signed SBOM attestations using the in-toto specification further enhances trust and integrity in the software supply chain.