SBOM generation CLI for container images, filesystems, and archives, with SPDX and CycloneDX output.
$curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
Agent Compatibility
JSON Output
Agent Skill
MCP Support
AI Analysis
Syft generates software bill of materials from container images, filesystem paths, archives, and other OCI sources. It is built for software supply chain inspection workflows where you need package inventories you can export, compare, or pass to downstream scanners and compliance systems.
What It Enables
- Scan container images from Docker, Podman, registries, tar archives, OCI layouts, directories, or single files to inventory packages and selected file metadata.
- Export SBOMs as Syft JSON, SPDX, CycloneDX, text, table, purl, or custom template output for CI, audits, and downstream tooling.
- Convert existing SBOMs between Syft, SPDX, and CycloneDX formats, and attach signed SBOM attestations to container images.
Agent Fit
- Flag-driven commands and explicit source schemes like
registry:,docker-archive:,oci-dir:,dir:, andfile:make unattended scans and follow-up retries predictable. -o json,spdx-json, andcyclonedx-jsonprovide machine-readable output, and the repo ships versioned JSON schemas plus schema tests for Syft JSON.- Best for inspect and export loops rather than broad mutation workflows; registry or daemon access affects what an agent can scan, and attestation adds external
cosignand registry requirements.
Caveats
- Default output is a human table, so automation should always request an explicit JSON or SBOM format.
syft attestis limited to OCI registry images and requirescosignon PATH.