Syft

Unclaimed

Generate Software Bill of Materials (SBOMs) from container images and filesystems.

Vulnerability Scanning Compliance

Visit Website

FreeVisit Website

TL;DR - Syft

Generates Software Bill of Materials (SBOMs) from various software artifacts.
Supports a wide range of packaging ecosystems and container image formats.
Integrates seamlessly with vulnerability scanners like Grype for enhanced security.

Pricing: Free forever

Best for: Individuals & startups

Pros & Cons

Pros

Comprehensive SBOM generation for diverse software components
Broad support for packaging ecosystems and image formats
Seamless integration with vulnerability scanning tools like Grype
Multiple output formats and SBOM conversion capabilities
Enhances software supply chain security with signed attestations

Cons

Primarily a CLI tool, which might require command-line familiarity
Requires integration with other tools (like Grype) for full vulnerability detection

Key Features

Generates SBOMs for container images, filesystems, and archivesSupports dozens of packaging ecosystems (e.g., Alpine, Debian, RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET)Supports OCI, Docker, and Singularity image formatsWorks seamlessly with Grype for vulnerability scanningProvides multiple output formats (CycloneDX, SPDX, Syft JSON, and more)Ability to convert between SBOM formatsCreates signed SBOM attestations using the in-toto specification

Pricing Plans

Open Source

Free

Full source code access
Community support
Self-hosted

View full pricing

About Syft

By Toolradar Team·Updated Feb 23, 2026

Syft is a powerful CLI tool and Go library designed for generating Software Bill of Materials (SBOMs) from various sources, including container images, filesystems, and archives. It helps developers and security teams gain transparency into the components of their software, which is crucial for identifying potential vulnerabilities and ensuring compliance. This tool supports a wide array of packaging ecosystems, such as Alpine, Debian, RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, and .NET, among many others. It also works with popular image formats like OCI, Docker, and Singularity. Syft is particularly valuable when integrated with vulnerability scanners like Grype, enabling comprehensive security analysis of software artifacts. Syft is ideal for developers, DevOps engineers, security professionals, and anyone involved in software supply chain security. It provides multiple output formats, including CycloneDX, SPDX, and Syft JSON, and can even convert between SBOM formats. Its ability to create signed SBOM attestations using the in-toto specification further enhances trust and integrity in the software supply chain.

How we evaluate tools →Source: github.com

Reviews

No reviews yet. Be the first to review Syft!

Write a Review

Best Syft Alternatives

Top alternatives based on features, pricing, and user needs.

GrypeFree

Vulnerability scanner for container images

VeracodePaid

Application security testing platform

CheckmarxPaid

Application security testing platform

See all Vulnerability Scanning tools →

Explore More

Best Vulnerability Scanning Tools Best Compliance Tools

Syft FAQ

What is Syft?

Syft is a CLI tool and Go library that generates a Software Bill of Materials (SBOM) from container images, filesystems, and archives. It helps identify all the components within your software.

How much does Syft cost?

Syft is an open-source project released under the Apache-2.0 License, making it free to use. Commercial support options are available through Anchore.

Is Syft free?

Yes, Syft is free as it is an open-source project licensed under Apache-2.0.

Who is Syft for?

Syft is for developers, DevOps engineers, security professionals, and anyone needing to understand the components of their software for vulnerability detection, compliance, and supply chain security.

Source: github.com