Getting Started

SBOM Generation Getting Started

Introduction

Syft is our CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems.

Install the latest Syft release

Syft is provided as a single compiled executable. Issue the command for your platform to download the latest release of Syft. The full list of official and community maintained packages can be found on the installation page.

curl -sSfL <a href="https://get.anchore.io/syft">https://get.anchore.io/syft</a> | sudo sh -s &ndash; -b /usr/local/bin

brew install syft

nuget install Anchore.Syft

Once installed, ensure the syft binary is in the PATH for your system.

Create an SBOM with Syft

Generate an SBOM for a container image:

syft <image>

Display the contents of a public container image

Run syft with default options against a small container, which will be pulled from DockerHub. The output will be a simple human-readable table.

Learn more

Syft supports more than just containers, find out more about Supported Sources

syft alpine:latest

The output will look similar to the following table.

 ✔ Pulled image
 ✔ Loaded image alpine:latest
 ✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9…
 ✔ Cataloged contents 058c92d86112aa6f641b01ed238a07a3885…
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File metadata                   [82 locations]
   ├── ✔ File digests                    [82 files]
   └── ✔ Executables                     [17 executables]
NAME                    VERSION      TYPE
alpine-baselayout       3.6.8-r1     apk
alpine-baselayout-data  3.6.8-r1     apk
alpine-keys             2.5-r0       apk
alpine-release          3.21.3-r0    apk
apk-tools               2.14.6-r3    apk
busybox                 1.37.0-r12   apk
busybox-binsh           1.37.0-r12   apk
ca-certificates-bundle  20241121-r1  apk
libcrypto3              3.3.3-r0     apk
libssl3                 3.3.3-r0     apk
musl                    1.2.5-r9     apk
musl-utils              1.2.5-r9     apk
scanelf                 1.3.8-r1     apk
ssl_client              1.37.0-r12   apk
zlib                    1.3.1-r2     apk

Create an SPDX formatted SBOM

The next command will display the human-readable table, and write an SBOM in an industry-standard format, SPDX.

syft alpine:latest -o table -o spdx-json=alpine_latest-spdx.json

The same table will be displayed, but there will also be an SBOM in the current directory.

Learn more

Syft supports multiple SBOM output formats, find out more about Output Formats.

Examine the SPDX file contents

The JSON output by Syft is long, but compressed down to one line. We can use jq to prettify it, and extract some package data.

Note

jq is an third-party command-line utility for manipulating JSON documents, find out more about jq on the jqlang website.

jq '.packages[].name' < alpine_latest-spdx.json

The output will show a list of packages that Syft found in the container.

"alpine-baselayout"
"alpine-baselayout-data"
"alpine-keys"
"alpine-release"
"apk-tools"
"busybox"
"busybox-binsh"
"ca-certificates-bundle"
"libcrypto3"
"libssl3"
"musl"
"musl-utils"
"scanelf"
"ssl_client"
"zlib"
"alpine"

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft <image> --scope all-layers

Next steps

Try running Syft against other containers, or an application directory on your workstation.
Find out more about Supported Sources and Output Formats.
Learn about Vulnerability Scanning and License Scanning your SBOMs.

Last modified September 29, 2025: add python tests and tooling (c00b34a)