syft

Builds a SBOM (Software Build Of Materials) from your repository

syft documentation

• Version in MegaLinter: 0.94.0
• Visit Official Web Site

Configuration in MegaLinter

• Enable syft by adding REPOSITORY_SYFT in ENABLE_LINTERS variable
• Disable syft by adding REPOSITORY_SYFT in DISABLE_LINTERS variable

MegaLinter Flavours

This linter is available in the following flavours

	Flavor	Description	Embedded linters	Info
	all	Default MegaLinter Flavor	117
	security	Optimized for security	24

Behind the scenes

How are identified applicable files

• If this linter is active, all files will always be linted

How the linting is performed

syft is called once on the whole project directory (project CLI lint mode)

• filtering can not be done using MegaLinter configuration variables,it must be done using syft configuration or ignore file (if existing)
• VALIDATE_ALL_CODEBASE: false doesn't make syft analyze only updated files

Example calls

syft /tmp/lint

Help content

Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems

Usage:
  syft [command]

Application Configuration:

  # (env: SYFT_CONFIG)
  config: ''

  # report output format (<format>=<file> to output to a file), formats=[syft-json github-json syft-table syft-text template cyclonedx-xml cyclonedx-json spdx-tag-value spdx-json] (env: SYFT_OUTPUT)
  output:
    - 'syft-table'

  # file to write the default report output to (default is STDOUT) (env: SYFT_FILE)
  file: ''

  # specify the path to a Go template file (env: SYFT_OUTPUT_TEMPLATE_PATH)
  output-template-path: ''

  # (env: SYFT_CHECK_FOR_APP_UPDATE)
  check-for-app-update: true

  # enable one or more package catalogers (env: SYFT_CATALOGERS)
  catalogers: []

  package:
    cataloger:
      # (env: SYFT_PACKAGE_CATALOGER_ENABLED)
      enabled: true

      # selection of layers to catalog, options=[squashed all-layers] (env: SYFT_PACKAGE_CATALOGER_SCOPE)
      scope: 'Squashed'

    # (env: SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES)
    search-unindexed-archives: false

    # (env: SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES)
    search-indexed-archives: true

  golang:
    # (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
    search-local-mod-cache-licenses: false

    # (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
    local-mod-cache-dir: ''

    # (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
    search-remote-licenses: false

    # (env: SYFT_GOLANG_PROXY)
    proxy: ''

    # (env: SYFT_GOLANG_NO_PROXY)
    no-proxy: ''

  linux-kernel:
    # (env: SYFT_LINUX_KERNEL_CATALOG_MODULES)
    catalog-modules: true

  python:
    # (env: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS)
    guess-unpinned-requirements: false

  file-metadata:
    cataloger:
      # (env: SYFT_FILE_METADATA_CATALOGER_ENABLED)
      enabled: false

      # (env: SYFT_FILE_METADATA_CATALOGER_SCOPE)
      scope: 'Squashed'

    # (env: SYFT_FILE_METADATA_DIGESTS)
    digests:
      - 'sha256'

  file-classification:
    cataloger:
      # (env: SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED)
      enabled: false

      # (env: SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE)
      scope: 'Squashed'

  file-contents:
    cataloger:
      # (env: SYFT_FILE_CONTENTS_CATALOGER_ENABLED)
      enabled: false

      # (env: SYFT_FILE_CONTENTS_CATALOGER_SCOPE)
      scope: 'Squashed'

    # (env: SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE)
    skip-files-above-size: 1048576

    # (env: SYFT_FILE_CONTENTS_GLOBS)
    globs: []

  secrets:
    cataloger:
      # (env: SYFT_SECRETS_CATALOGER_ENABLED)
      enabled: false

      # (env: SYFT_SECRETS_CATALOGER_SCOPE)
      scope: 'AllLayers'

    # (env: SYFT_SECRETS_ADDITIONAL_PATTERNS)
    additional-patterns: map[]

    # (env: SYFT_SECRETS_EXCLUDE_PATTERN_NAMES)
    exclude-pattern-names: []

    # (env: SYFT_SECRETS_REVEAL_VALUES)
    reveal-values: false

    # (env: SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE)
    skip-files-above-size: 1048576

  registry:
    # (env: SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
    insecure-skip-tls-verify: false

    # (env: SYFT_REGISTRY_INSECURE_USE_HTTP)
    insecure-use-http: false

    auth: []

    # (env: SYFT_REGISTRY_CA_CERT)
    ca-cert: ''

  # exclude paths from being scanned using a glob expression (env: SYFT_EXCLUDE)
  exclude: []

  # an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: SYFT_PLATFORM)
  platform: ''

  # (env: SYFT_NAME)
  name: ''

  source:
    # set the name of the target being analyzed (env: SYFT_SOURCE_NAME)
    name: ''

    # set the version of the target being analyzed (env: SYFT_SOURCE_VERSION)
    version: ''

    file:
      # (env: SYFT_SOURCE_FILE_DIGESTS)
      digests:
        - 'sha256'

  # (env: SYFT_PARALLELISM)
  parallelism: 1

  # (env: SYFT_DEFAULT_IMAGE_PULL_SOURCE)
  default-image-pull-source: ''

  # base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory (env: SYFT_BASE_PATH)
  base-path: ''

  # (env: SYFT_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
  exclude-binary-overlap-by-ownership: true

  log:
    # suppress all logging output (env: SYFT_LOG_QUIET)
    quiet: false

    # increase verbosity (-v = info, -vv = debug) (env: SYFT_LOG_VERBOSITY)
    verbosity: 0

    # explicitly set the logging level (available: [error warn info debug trace]) (env: SYFT_LOG_LEVEL)
    level: warn

    # file path to write logs to (env: SYFT_LOG_FILE)
    file: ''

  dev:
    # capture resource profiling data (available: [cpu, mem]) (env: SYFT_DEV_PROFILE)
    profile: none

  # (env: SYFT_KEY)
  key:

  # (env: SYFT_PASSWORD)
  password:

Config Search Locations:
  - .syft.yaml
  - .syft/config.yaml
  - /root/.syft.yaml
  - /root/.config/syft/config.yaml
  - /etc/xdg/syft/config.yaml

Available Commands:
  attest      Generate an SBOM as an attestation for the given [SOURCE] container image
  completion  Generate the autocompletion script for the specified shell
  convert     Convert between SBOM formats
  help        Help about any command
  login       Log in to a registry
  packages    Generate a package SBOM
  version     show version information

Flags:
      --base-path string         base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
      --catalogers stringArray   enable one or more package catalogers
  -c, --config string            syft configuration file
      --exclude stringArray      exclude paths from being scanned using a glob expression
      --file string              file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
  -h, --help                     help for syft
      --name string              set the name of the target being analyzed (DEPRECATED: use: source-name)
  -o, --output stringArray       report output format (<format>=<file> to output to a file), formats=[syft-json github-json syft-table syft-text template cyclonedx-xml cyclonedx-json spdx-tag-value spdx-json] (default [syft-table])
      --platform string          an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
  -q, --quiet                    suppress all logging output
  -s, --scope string             selection of layers to catalog, options=[squashed all-layers] (default "Squashed")
      --source-name string       set the name of the target being analyzed
      --source-version string    set the version of the target being analyzed
  -t, --template string          specify the path to a Go template file
  -v, --verbose count            increase verbosity (-v = info, -vv = debug)
      --version                  version for syft

Use "syft [command] --help" for more information about a command.

Installation on mega-linter Docker image

• Dockerfile commands :

RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin