Skip to content
Home SCA Tools Syft
SY

Syft

Category: SCA
License: Free (Open-Source, Apache-2.0)
GitHub (8400★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 13, 2026
3 min read

Syft is Anchore’s open-source SBOM generation tool that catalogs all software components in container images and filesystems. With 8.4k GitHub stars and 219 contributors, it is one of the most widely used SCA tools for generating Software Bills of Materials in SPDX and CycloneDX formats. The demand for SBOM tooling grew sharply after Executive Order 14028 mandated SBOMs for federal software suppliers.

Syft CLI generating an SBOM from a container image showing package detection

The current version is 1.42.0 (released February 10, 2026). Syft operates entirely offline with no cloud services or external API calls. Point it at a container image or directory, and it returns a complete SBOM in seconds.

What is Syft?

Syft scans container images, directory trees, and archive files to identify all software packages and their versions. It detects packages installed via system package managers (apk, dpkg, rpm) and language-specific dependency managers (npm, pip, Maven, Go modules, and more).

The tool generates SBOMs in SPDX and CycloneDX formats, the two industry-standard schemas. These machine-readable inventories list every component in your software, including direct dependencies, transitive dependencies, and operating system packages.

Multi-Source Scanning
Analyze container images (local or from registries), directory trees, and archive files. Supports OCI, Docker, and Singularity image formats.
Standard Formats
Output SBOMs in SPDX, CycloneDX, and Syft JSON formats. Convert between formats. Create signed attestations using in-toto specification.
Ecosystem Coverage
Detect packages from Alpine, Debian, RPM, npm, pip, Maven, Go, Ruby, Rust, PHP, .NET, and dozens more ecosystems automatically.

Key features

FeatureDetails
Current version1.42.0 (February 10, 2026)
GitHub stats8.4k stars, 219 contributors, 765 forks
LicenseApache 2.0
Output formatsSPDX JSON, CycloneDX JSON, Syft JSON, text, table
Image formatsOCI, Docker, Singularity
Installationcurl script, Homebrew, Docker, Scoop, Chocolatey, Nix
AttestationsSigned SBOM attestations via in-toto specification
Cloud dependenciesNone; runs entirely offline
Grype integrationPipe SBOMs directly to Grype for vulnerability scanning

Container image analysis

Syft scans Docker images, OCI images, and Singularity containers by analyzing each layer. It extracts package manager databases, language dependency manifests (package.json, requirements.txt, pom.xml), and binary metadata.

Scan local images already pulled to your machine, or fetch images directly from remote registries like Docker Hub, ECR, GCR, and private registries. Syft handles authentication and downloads only the necessary layers to minimize bandwidth.

Package ecosystem support

Syft automatically identifies which package managers were used in a project by detecting manifest files. When it finds package.json, it parses npm dependencies. When it finds go.mod, it extracts Go module information. When it finds /var/lib/dpkg/status, it catalogs Debian packages.

This automatic detection means you do not need to configure Syft for specific projects. It adapts to whatever package ecosystems it encounters.

Broad Ecosystem Support
Syft detects packages from Alpine (apk), Debian (dpkg), RPM, npm, pip, Maven, Go modules, Ruby gems, Rust crates, PHP Composer, .NET NuGet, CocoaPods, Conda, and many more. New catalogers are added regularly.

SPDX and CycloneDX output

Generate SBOMs in SPDX format for government compliance (NTIA, Executive Order 14028) or CycloneDX for security-focused workflows. Syft also supports human-readable table and text formats for quick inspection.

SBOM attestations

Syft can create signed SBOM attestations using the in-toto specification. This adds cryptographic proof that the SBOM was generated from a specific source, supporting supply chain verification workflows.

Grype integration

Pair Syft with Grype for complete software composition analysis. Syft generates the SBOM, Grype scans it for known vulnerabilities. This two-tool approach separates inventory generation from vulnerability detection, letting you cache SBOMs and scan them multiple times as new CVEs are disclosed.

# Generate SBOM and pipe to Grype for vulnerability scanning
syft alpine:latest -o cyclonedx-json | grype

Getting started

1
Install Syft — Run curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin or brew install syft on macOS.
2
Scan a container image — Run syft alpine:latest to generate an SBOM for any container image. Use -o cyclonedx-json for CycloneDX or -o spdx-json for SPDX format.
3
Scan a directory — Run syft ./my-project to catalog all packages in a local directory tree.
4
Add to CI/CD — Use the official anchore/sbom-action GitHub Action to generate SBOMs for every build and upload them as workflow artifacts.

When to use Syft

Syft is the right choice when you need SBOM generation without vulnerability scanning overhead. It does one thing well: cataloging software components across container images and filesystems.

Pair it with Grype for vulnerability scanning. This separation lets you generate SBOMs once, store them, and scan them repeatedly as new vulnerabilities are disclosed.

The tool runs entirely offline, making it suitable for air-gapped environments and CI/CD pipelines where external API calls are restricted.

Best for
Development and security teams that need automated SBOM generation for containers and applications to meet compliance requirements, enable vulnerability management, or provide software transparency.

Further reading: What is SBOM? | What is SCA? | Container Image Security

Frequently Asked Questions

What is Syft?
Syft is Anchore’s open-source CLI tool for generating Software Bills of Materials (SBOMs). Version 1.42.0 analyzes container images, filesystems, and archives to catalog software packages, outputting results in SPDX or CycloneDX formats. It has 8.4k GitHub stars and 219 contributors.
What's the difference between Syft and Grype?
Syft generates SBOMs (software inventories) while Grype scans SBOMs for vulnerabilities. Use Syft to discover what components exist in your software, then feed the output to Grype to find security issues. They are complementary tools designed to work together.
Which package formats does Syft support?
Syft supports Alpine (apk), Debian/Ubuntu (dpkg), RPM, npm, pip, Maven, Go modules, Ruby gems, Rust crates, PHP Composer, .NET NuGet, and many others. It automatically detects package managers and extracts dependency information from manifests and lock files.
Is Syft free for commercial use?
Yes, Syft is completely free under the Apache 2.0 license. You can use it in commercial products, CI/CD pipelines, and production environments without licensing costs or usage restrictions.
How we review tools Suggest an edit

Other SCA Tools

CH
Chainguard

Zero-CVE Hardened Container Images

GitHub Dependabot
GitHub Dependabot

GitHub-Native Dependency Security

JFrog Xray
JFrog Xray

Binary Management Integration

Mend SCA
Mend SCA

Forrester Strong Performer, Auto-Remediation

OS
OSV-Scanner

Google-Backed OSV Database Scanner

Renovate
Renovate

Automated Dependency Updates

See all SCA tools

Complement with SAST

Pair dependency scanning with static analysis for broader coverage.

Bearer
Bearer

Data-First SAST with Privacy Scanning

Contrast Scan
Contrast Scan

SAST with Runtime Context

See all SAST tools

Learn More

What is SCA? What is SBOM? SAST vs SCA Software Supply Chain Attacks SCA in CI/CD Open-Source License Compliance

Explore our Software Supply Chain Security resource hub