Skip to content

syft

GitHub last commit

Builds a SBOM (Software Build Of Materials) from your repository

syft documentation

syft - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_SYFT_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_SYFT_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
Exclude every file
REPOSITORY_SYFT_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
REPOSITORY_SYFT_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_SYFT_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_SYFT_CONFIG_FILE syft configuration file name
Use LINTER_DEFAULT to let the linter find it
.syft.yaml
REPOSITORY_SYFT_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_SYFT_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_SYFT_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 101 Docker Image Size (tag) Docker Pulls
security Optimized for security 20 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

syft is called once on the whole project directory

  • filtering can not be done using MegaLinter configuration variables,it must be done using syft configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false does not make syft analyze only updated files

Example calls

syft /tmp/lint

Help content

Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems

Usage:
   [flags]
   [command]

Examples:
  syft packages alpine:latest                    a summary of discovered packages
  syft packages alpine:latest -o json                        show all possible cataloging details
  syft packages alpine:latest -o cyclonedx                   show a CycloneDX formatted SBOM
  syft packages alpine:latest -o cyclonedx-json              show a CycloneDX JSON formatted SBOM
  syft packages alpine:latest -o spdx                        show a SPDX 2.2 Tag-Value formatted SBOM
  syft packages alpine:latest -o spdx-json                   show a SPDX 2.2 JSON formatted SBOM
  syft packages alpine:latest -vv                            show verbose debug information
  syft packages alpine:latest -o template -t my_format.tmpl  show a SBOM formatted according to given template file

  Supports the following image sources:
    syft packages yourrepo/yourimage:tag     defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
    syft packages path/to/a/file/or/dir      a Docker tar, OCI tar, OCI directory, or generic filesystem directory

  You can also explicitly specify the scheme to use:
    syft packages docker:yourrepo/yourimage:tag          explicitly use the Docker daemon
    syft packages podman:yourrepo/yourimage:tag           explicitly use the Podman daemon
    syft packages registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)
    syft packages docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
    syft packages oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Skopeo or otherwise)
    syft packages oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
    syft packages dir:path/to/yourproject                read directly from a path on disk (any directory)
    syft packages file:path/to/yourproject/file          read directly from a path on disk (any single file)


Available Commands:
  attest      Generate a package SBOM as an attestation for the given [SOURCE] container image
  completion  Generate a shell completion for Syft (listing local docker images)
  convert     Convert between SBOM formats
  help        Help about any command
  login       Log in to a registry
  packages    Generate a package SBOM
  version     show the version

Flags:
      --catalogers stringArray     enable one or more package catalogers
  -c, --config string              application config file
  -d, --dockerfile string          include dockerfile for upload to Anchore Enterprise
      --exclude stringArray        exclude paths from being scanned using a glob expression
      --file string                file to write the default report output to (default is STDOUT)
  -h, --help                       help for this command
  -H, --host string                the hostname or URL of the Anchore Enterprise instance to upload to
      --import-timeout uint        set a timeout duration (in seconds) for the upload to Anchore Enterprise (default 30)
  -o, --output stringArray         report output format, options=[syft-json cyclonedx-xml cyclonedx-json github github-json spdx-tag-value spdx-json table text template] (default [table])
      --overwrite-existing-image   overwrite an existing image during the upload to Anchore Enterprise
  -p, --password string            the password to authenticate against Anchore Enterprise
      --platform string            an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
  -q, --quiet                      suppress all logging output
  -s, --scope string               selection of layers to catalog, options=[Squashed AllLayers] (default "Squashed")
  -t, --template string            specify the path to a Go template file
  -u, --username string            the username to authenticate against Anchore Enterprise
  -v, --verbose count              increase verbosity (-v = info, -vv = debug)
      --version                    version for this command

Use " [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin