Syft 是一个由 Anchore 开发的开放源代码工具,旨在为容器镜像和文件系统生成软件物料清单(SBOM),。它通过识别依赖项、库和其他第三方组件来帮助组织了解其软件的构成部分,这对于安全性和合规性来说是至关重要的。通过为您的容器映像或软件构建生成 SBOM,Syft 帮助团队识别正在使用的第三方组件,并结合使用 Grype ...
The ability to convert existing SBOMs means you can create SBOMs in different formats quickly, without the need to regenerate the SBOM from scratch, which may take significantly more time. syft convert <ORIGINAL-SBOM-FILE> -o <NEW-SBOM-FORMAT>[=<NEW-SBOM-FILE>] This feature is experimental...
Able to create signed SBOM attestations using thein-toto specification Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format. Installation Syft binaries are provided for Linux, macOS and Windows. Recommended curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/in...
Convert between SBOM formats, such as CycloneDX, SPDX, and Syft's own format. Installation Syft binaries are provided for Linux, macOS and Windows. Recommended curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin ...
To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers: syft <image> --scope all-layers Output formats The output format for Syft is configurable as well using the -o (or --output) option: syft <image> -o <...
To generate an SBOM attestation for a container image using a local private key: syft attest --output [FORMAT] --key [KEY] [SOURCE] [flags] The above output is in the form of the DSSE envelope. The payload is a base64 encoded in-toto statement with the generated SBOM as the predic...
sbom-cataloger # - spm-cataloger catalogers: # all format configuration format: # default value for all formats that support the "pretty" option (default is unset) pretty: # all syft-json format options json: # include space indention and newlines (inherits default value from 'format.pretty...
To generate an SBOM attestation for a container image using a local private key: syft attest --output [FORMAT] --key [KEY] [SOURCE] [flags] The above output is in the form of the DSSE envelope. The payload is a base64 encoded in-toto statement with the generated SBOM as the predic...
A GitHub Action for creating a software bill of materials (SBOM) using Syft. Basic Usage - uses: anchore/sbom-action@v0 By default, this action will execute a Syft scan in the workspace directory and upload a workflow artifact SBOM in SPDX format. It will also detect if being run during...
To generate an SBOM attestation for a container image using a local private key: syft attest --output [FORMAT] --key [KEY] [SOURCE] [flags] The above output is in the form of the DSSE envelope. The payload is a base64 encoded in-toto statement with the generated SBOM as the predic...