This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installation

Official and community maintained packages of Anchore OSS Tools

The following pages show the installation options for each of our open source tools. This includes our recommended methods, and some third-party packages maintained by the community.

We also have a guide detailing how to verify the downloads.

Verifying Downloads

1 - Syft

Installing Syft

Official builds

The Anchore OSS team publish official source archives and binary builds of Syft for Linux, macOS and Windows. There are also numerous community-maintained builds of the tools for different platforms.

Installer script

Syft binaries are provided for Linux, macOS and Windows.

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

Install script options:

-b: Specify a custom installation directory (defaults to ./bin)
-d: More verbose logging levels (-d for debug, -dd for trace)
-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

Updating Syft

Syft checks for new versions on launch. It will print a message at the end of the output if the version in use is not the latest.

A newer version of syft is available for download: 1.20.0 (installed version is 1.19.2)

Docker container

docker pull anchore/syft

GitHub releases

Download the file for your operating system and architecture from the GitHub releases page
In the case of .deb or .rpm, install them using your package manager
For compressed archives, unpack the file, and copy the syft binary to a folder in your path such as /usr/local/bin

Community builds of syft

Alpine Linux

apk add syft

Thanks to Michał Polański for maintaining this package.

Chocolatey

choco install syft -y

Homebrew

brew tap anchore/syft
brew install syft

HomeBrew packaging for Syft

Thanks to the Syft community for maintaining this package.

Kali Linux

sudo apt install syft

Thanks to Sophie Brun for maintaining this package.

Nix

Syft is available in the stable channel since NixOS 22.05.

nix-env -i syft

Alternatively, just try it out in an ephemeral nix shell.

nix-shell -p syft

Scoop

scoop install syft

WinGet

nuget install Anchore.syft

WinGet packaging for Syft

Thanks to Alan Pope for maintaining this package.

Snapcraft

snap install syft

Thanks to Alan Pope for maintaining this package.

2 - Grype

Installing Grype

Official builds

The Anchore OSS team publish official source archives and binary builds of Grype for Linux, macOS and Windows. There are also numerous community-maintained builds of the tools for different platforms.

Installer script

Grype binaries are provided for Linux, macOS and Windows.

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin

Install script options:

-b: Specify a custom installation directory (defaults to ./bin)
-d: More verbose logging levels (-d for debug, -dd for trace)
-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

Updating Grype

Grype checks for new versions on launch. It will print a message at the end of the output if the version in use is not the latest.

A newer version of grype is available for download: 0.92.0 (installed version is 0.91.2)

Docker container

docker pull anchore/grype

GitHub releases

Download the file for your operating system and architecture from the GitHub releases page
In the case of .deb or .rpm, install them using your package manager
For compressed archives, unpack the file, and copy the grype binary to a folder in your path such as /usr/local/bin

Community builds of Grype

Arch Linux

sudo pacman -S grype-bin

Homebrew

brew tap anchore/grype
brew install grype

MacPorts

sudo port install grype

NuGet

nuget install Anchore.Grype

Snapcraft

snap install grype

3 - Grant

Installing Grant

Official builds

The Anchore OSS team publish official source archives and binary builds for Linux and macOS. There are also some community-maintained builds of the tools for different platforms.

Installer script

Grant binaries are provided for Linux and macOS.

curl -sSfL https://get.anchore.io/grant | sudo sh -s -- -b /usr/local/bin

Install script options:

-b: Specify a custom installation directory (defaults to ./bin)
-d: More verbose logging levels (-d for debug, -dd for trace)
-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)

GitHub releases

Download the file for your operating system and architecture from the GitHub releases page
In the case of .deb or .rpm, install them using your package manager
For compressed archives, unpack the file, and copy the grant binary to a folder in your path such as /usr/local/bin

Community builds of grant

Homebrew

brew tap anchore/grant
brew install grant

4 - Verifying Downloads

Verifying release assets after downloading

Verifying the artifacts

Checksums are applied to all artifacts, and the resulting checksum file is signed using cosign.

You need the following tool to verify signature:

Cosign

Verification steps are as follow:

Download the files you want, and the checksums.txt, checksums.txt.pem and checksums.txt.sig files from the appropriate GitHub:

Verify the signature:

Use cosign to verify.

cosign verify-blob <path to checksum.txt> \
--certificate <path to checksums.txt.pem> \
--signature <path to checksums.txt.sig> \
--certificate-identity-regexp 'https://github\.com/anchore/<name of tool>/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Here’s an example of verifying the macOS arm64 Syft v1.23.1 tarball in the current directory:

First, we download the Syft tarball directly from the GitHub releases page for Syft v1.23.1:

wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_darwin_arm64.tar.gz

Then we grab the files required to verify the download:

wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt.pem
wget https://github.com/anchore/syft/releases/download/v1.23.1/syft_1.23.1_checksums.txt.sig

The cosign command will look a bit like this:

cosign verify-blob ./syft_1.23.1_checksums.txt \
--certificate ./syft_1.23.1_checksums.txt.pem \
--signature ./syft_1.23.1_checksums.txt.sig \
--certificate-identity-regexp 'https://github\.com/anchore/syft/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

The resulting output, if successful, looks like this:

Verified OK

Once the signature is confirmed as valid, you can proceed to validate that the SHA256 sums align with the downloaded artifact:

sha256sum --ignore-missing -c checksums.txt

In our example above, that command looks like this:

sha256sum --ignore-missing -c syft_1.23.1_checksums.txt

If successful, we will get this output:

syft_1.23.1_darwin_arm64.tar.gz: OK