sbom-syft
by aiskillstore
Security-audited skills for Claude, Codex & Claude Code. One-click install, quality verified.
Run in ManusSKILL.md
name: sbom-syft description: > Software Bill of Materials (SBOM) generation using Syft for container images, filesystems, and archives. Detects packages across 28+ ecosystems with multi-format output support (CycloneDX, SPDX, syft-json). Enables vulnerability assessment, license compliance, and supply chain security. Use when: (1) Generating SBOMs for container images or applications, (2) Analyzing software dependencies and packages for vulnerability scanning, (3) Tracking license compliance across dependencies, (4) Integrating SBOM generation into CI/CD for supply chain security, (5) Creating signed SBOM attestations for software provenance. version: 0.1.0 maintainer: SirAppSec category: secsdlc tags: [sbom, syft, supply-chain, dependencies, cyclonedx, spdx, vulnerability-management, license-compliance] frameworks: [NIST, OWASP] dependencies: tools: [docker] references:
Syft SBOM Generator
Overview
Syft is a CLI tool and Go library for generating comprehensive Software Bills of Materials (SBOMs) from container images and filesystems. It provides visibility into packages and dependencies across 28+ ecosystems, supporting multiple SBOM formats (CycloneDX, SPDX) for vulnerability management, license compliance, and supply chain security.
Supported Ecosystems
Languages & Package Managers: Alpine (apk), C/C++ (conan), Dart (pub), Debian/Ubuntu (dpkg), Dotnet (deps.json), Go (go.mod), Java (JAR/WAR/EAR/Maven/Gradle), JavaScript (npm/yarn), PHP (composer), Python (pip/poetry/setup.py), Red Hat (RPM), Ruby (gem), Rust (cargo), Swift (cocoapods)
Container & System: OCI images, Docker images, Singularity, container layers, Linux distributions
Quick Start
Generate SBOM for container image:
# Using Docker
docker run --rm -v $(pwd):/out anchore/syft:latest <image> -o cyclonedx-json=/out/sbom.json
# Local installation
syft <image> -o cyclonedx-json=sbom.json
# Examples
syft alpine:latest -o cyclonedx-json
syft docker.io/nginx:latest -o spdx-json
syft dir:/path/to/project -o cyclonedx-json
Core Workflows
Workflow 1: Container Image SBOM Generation
For creating SBOMs of container images:
- Identify target container image (local or registry)
- Run Syft to generate SBOM:
syft <image-name:tag> -o cyclonedx-json=sbom-cyclonedx.json - Optionally generate multiple formats:
syft <image-name:tag> \ -o cyclonedx-json=sbom-cyclonedx.json \ -o spdx-json=sbom-spdx.json \ -o syft-json=sbom-syft.json - Store SBOM artifacts with image for traceability
- Use SBOM for vulnerability scanning with Grype or other tools
- Track SBOM versions alongside image releases
Workflow 2: CI/CD Pipeline Integration
Progress: [ ] 1. Add Syft to build pipeline after image creation [ ] 2. Generate SBOM in standard format (CycloneDX or SPDX) [ ] 3. Store SBOM as build artifact [ ] 4. Scan SBOM for vulnerabilities (using Grype or similar) [ ] 5. Fail build on critical vulnerabilities or license violations [ ] 6. Publish SBOM alongside container image [ ] 7. Integrate with vulnerability management platform
Work through each step systematically. Check off completed items.
Workflow 3: Filesystem and Application Scanning
For generating SBOMs from source code or filesystems:
- Navigate to project root or specify path
- Scan directory structure:
syft dir:/path/to/project -o cyclonedx-json=app-sbom.json - Review detected packages and dependencies
- Validate package detection accuracy (check for false positives/negatives)
- Configure exclusions if needed (using
.syft.yaml) - Generate SBOM for each release version
- Track dependency changes between versions
Workflow 4: SBOM Analysis and Vulnerability Scanning
Combining SBOM generation with vulnerability assessment:
- Generate SBOM with Syft:
syft <target> -o cyclonedx-json=sbom.json - Scan SBOM for vulnerabilities using Grype:
grype sbom:sbom.json -o json --file vulnerabilities.json - Review vulnerability findings by severity
- Filter by exploitability and fix availability
- Prioritize remediation based on:
- CVSS score
- Active exploitation status
- Fix availability
- Dependency depth
- Update dependencies and regenerate SBOM
- Re-scan to verify vulnerability remediation
Workflow 5: Signed SBOM Attestation
For creating cryptographically signed SBOM attestations:
- Install cosign (for signing):
# macOS brew install cosign # Linux wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 chmod +x cosign-linux-amd64 mv cosign-linux-amd64 /usr/local/bin/cosign - Generate SBOM:
syft <image> -o cyclonedx-json=sbom.json - Create attestation and sign:
cosign attest --predicate sbom.json --type cyclonedx <image> - Verify attestation:
cosign verify-attestation --type cyclonedx <image> - Store signature alongside SBOM for provenance verification
Output Formats
Syft supports multiple SBOM formats for different use cases:
| Format | Use Case | Specification |
|---|---|---|
cyclonedx-json | Modern SBOM standard, wide tool support | CycloneDX 1.4+ |
cyclonedx-xml | CycloneDX XML variant | CycloneDX 1.4+ |
spdx-json | Linux Foundation standard | SPDX 2.3 |
spdx-tag-value | SPDX text format | SPDX 2.3 |
syft-json | Syft native format (most detail) | Syft-specific |
syft-text | Human-readable console output | Syft-specific |
github-json | GitHub dependency submission | GitHub-specific |
template | Custom Go template output | User-defined |
Specify with -o flag:
syft <target> -o cyclonedx-json=output.json
Configuration
Create .syft.yaml in project root or home directory:
# Cataloger configuration
package:
cataloger:
enabled: true
scope: all-layers # Options: all-layers, squashed
search:
unindexed-archives: false
indexed-archives: true
# Exclusions
exclude:
- "**/test/**"
- "**/node_modules/**"
- "**/.git/**"
# Registry authentication
registry:
insecure-skip-tls-verify: false
auth:
- authority: registry.example.com
username: user
password: pass
# Output format defaults
output: cyclonedx-json
# Log level
log:
level: warn # Options: error, warn, info, debug, trace
Common Patterns
Pattern 1: Multi-Architecture Image Scanning
Scan all architectures of multi-platform images:
# Scan specific architecture
syft --platform linux/amd64 <image> -o cyclonedx-json=sbom-amd64.json
syft --platform linux/arm64 <image> -o cyclonedx-json=sbom-arm64.json
# Or scan manifest list (all architectures)
syft <image> --platform all -o cyclonedx-json
Pattern 2: Private Registry Authentication
Access images from private registries:
# Using Docker credentials
docker login registry.example.com
syft registry.example.com/private/image:tag -o cyclonedx-json
# Using environment variables
export SYFT_REGISTRY_AUTH_AUTHORITY=registry.example.com
export SYFT_REGISTRY_AUTH_USERNAME=user
export SYFT_REGISTRY_AUTH_PASSWORD=pass
syft registry.example.com/private/image:tag -o cyclonedx-json
# Using config file (recommended)
# Add credentials to .syft.yaml
Pattern 3: OCI Archive Scanning
Scan saved container images (OCI or Docker format):
# Save image to archive
docker save nginx:latest -o nginx.tar
# Scan archive
syft oci-archive:nginx.tar -o cyclonedx-json=sbom.json
# Or scan Docker archive
syft docker-archive:nginx.tar -o cyclonedx-json=sbom.json
Pattern 4: Comparing SBOMs Between Versions
Track dependency changes across releases:
# Generate SBOMs for two versions
syft myapp:v1.0 -o syft-json=sbom-v1.0.json
syft myapp:v2.0 -o syft-json=sbom-v2.0.json
# Compare with jq
jq -s '{"added": (.[1].artifacts - .[0].artifacts), "removed": (.[0].artifacts - .[1].artifacts)}' \
sbom-v1.0.json sbom-v2.0.json
Pattern 5: Filtering SBOM Output
Extract specific package information:
# Generate detailed SBOM
syft <target> -o syft-json=full-sbom.json
# Extract only Python packages
cat full-sbom.json | jq '.artifacts[] | select(.type == "python")'
# Extract packages with specific licenses
cat full-sbom.json | jq '.artifacts[] | select(.licenses[].value == "MIT")'
# Count packages by ecosystem
cat full-sbom.json | jq '.artifacts | group_by(.type) | map({type: .[0].type, count: length})'
Security Considerations
- Sensitive Data Handling: SBOMs may contain internal package names and versions. Store SBOMs securely and restrict access to authorized personnel
- Access Control: Limit SBOM generation and access to build systems. Use read-only credentials for registry access
- Audit Logging: Log SBOM generation events, distribution, and access for compliance tracking
- Compliance: SBOMs support compliance with Executive Order 14028 (Software Supply Chain Security), NIST guidelines, and OWASP recommendations
- Safe Defaults: Use signed attestations for production SBOMs to ensure integrity and provenance
Integration Points
CI/CD Integration
GitHub Actions:
- name: Generate SBOM with Syft
uses: anchore/sbom-action@v0
with:
image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
format: cyclonedx-json
output-file: sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
GitLab CI:
sbom-generation:
image: anchore/syft:latest
script:
- syft $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA -o cyclonedx-json=sbom.json
artifacts:
reports:
cyclonedx: sbom.json
Jenkins:
stage('Generate SBOM') {
steps {
sh 'syft ${IMAGE_NAME}:${BUILD_NUMBER} -o cyclonedx-json=sbom.json'
archiveArtifacts artifacts: 'sbom.json'
}
}
Vulnerability Scanning
Integrate with Grype for vulnerability scanning:
# Generate SBOM and scan in one pipeline
syft <target> -o cyclonedx-json=sbom.json
grype sbom:sbom.json
SBOM Distribution
Attach SBOMs to container images:
# Using ORAS
oras attach <image> --artifact-type application/vnd.cyclonedx+json sbom.json
# Using Docker manifest
# Store SBOM as additional layer or separate artifact
Advanced Usage
Custom Template Output
Create custom output formats using Go templates:
# Create template file
cat > custom-template.tmpl <<'EOF'
{{- range .Artifacts}}
{{.Name}}@{{.Version}} ({{.Type}})
{{- end}}
EOF
# Use template
syft <target> -o template -t custom-template.tmpl
Scanning Specific Layers
Analyze specific layers in container images:
# Squashed view (default - final filesystem state)
syft <image> --scope squashed -o cyclonedx-json
# All layers (every layer's packages)
syft <image> --scope all-layers -o cyclonedx-json
Environment Variable Configuration
Configure Syft via environment variables:
export SYFT_SCOPE=all-layers
export SYFT_OUTPUT=cyclonedx-json
export SYFT_LOG_LEVEL=debug
export SYFT_EXCLUDE="**/test/**,**/node_modules/**"
syft <target>
Troubleshooting
Issue: Missing Packages in SBOM
Solution: Enable all-layers scope or check for package manager files:
syft <target> --scope all-layers -o syft-json
Verify package manifest files exist (package.json, requirements.txt, go.mod, etc.)
Issue: Registry Authentication Failure
Solution: Ensure Docker credentials are configured or use explicit auth:
docker login <registry>
# Then run syft
syft <registry>/<image> -o cyclonedx-json
Issue: Large SBOM Size
Solution: Use squashed scope and exclude test/dev dependencies:
# In .syft.yaml
package:
cataloger:
scope: squashed
exclude:
- "**/test/**"
- "**/node_modules/**"
- "**/.git/**"
Issue: Slow Scanning Performance
Solution: Disable unindexed archive scanning for faster results:
# In .syft.yaml
package:
search:
unindexed-archives: false
License Compliance
Extract license information from SBOM:
# Generate SBOM
syft <target> -o syft-json=sbom.json
# Extract unique licenses
cat sbom.json | jq -r '.artifacts[].licenses[].value' | sort -u
# Find packages with specific licenses
cat sbom.json | jq '.artifacts[] | select(.licenses[].value | contains("GPL"))'
# Generate license report
cat sbom.json | jq -r '.artifacts[] | "\(.name):\(.licenses[].value)"' | sort
Vulnerability Management Workflow
Complete workflow integrating SBOM generation with vulnerability management:
Progress: [ ] 1. Generate SBOM for application/container [ ] 2. Scan SBOM for known vulnerabilities [ ] 3. Classify vulnerabilities by severity and exploitability [ ] 4. Check for available patches and updates [ ] 5. Update vulnerable dependencies [ ] 6. Regenerate SBOM after updates [ ] 7. Re-scan to confirm vulnerability remediation [ ] 8. Document accepted risks for unfixable vulnerabilities [ ] 9. Schedule periodic SBOM regeneration and scanning
Work through each step systematically. Check off completed items.
References
Score
Total Score
Based on repository quality metrics
SKILL.mdファイルが含まれている
ライセンスが設定されている
100文字以上の説明がある
GitHub Stars 100以上
1ヶ月以内に更新
10回以上フォークされている
オープンIssueが50未満
プログラミング言語が設定されている
1つ以上のタグが設定されている
Reviews
Reviews coming soon
