syft
Builds a SBOM (Software Build Of Materials) from your repository
syft documentation
- Version in MegaLinter: 0.97.1
- Visit Official Web Site
Configuration in MegaLinter
- Enable syft by adding
REPOSITORY_SYFT
in ENABLE_LINTERS variable - Disable syft by adding
REPOSITORY_SYFT
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_SYFT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_SYFT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_SYFT_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_SYFT_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_SYFT_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_SYFT and its pre/post commands | None |
REPOSITORY_SYFT_CONFIG_FILE | syft configuration file nameUse LINTER_DEFAULT to let the linter find it |
.syft.yaml |
REPOSITORY_SYFT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_SYFT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_SYFT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_SYFT_CLI_EXECUTABLE | Override CLI executable | ['syft'] |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 118 | ||
security | Optimized for security | 24 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
syft is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using syft configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make syft analyze only updated files
Example calls
syft /tmp/lint
Help content
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems
Usage:
syft [command]
Application Configuration:
# (env: SYFT_CONFIG)
config: ''
# report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (env: SYFT_OUTPUT)
output:
- 'syft-table'
# file to write the default report output to (default is STDOUT) (env: SYFT_FILE)
file: ''
format:
template:
# specify the path to a Go template file (env: SYFT_FORMAT_TEMPLATE_PATH)
path: ''
json:
# (env: SYFT_FORMAT_JSON_LEGACY)
legacy: false
# (env: SYFT_CHECK_FOR_APP_UPDATE)
check-for-app-update: true
# enable one or more package catalogers (env: SYFT_CATALOGERS)
catalogers: []
package:
cataloger:
# (env: SYFT_PACKAGE_CATALOGER_ENABLED)
enabled: true
# selection of layers to catalog, options=[squashed all-layers] (env: SYFT_PACKAGE_CATALOGER_SCOPE)
scope: 'Squashed'
# (env: SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES)
search-unindexed-archives: false
# (env: SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES)
search-indexed-archives: true
golang:
# (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
search-local-mod-cache-licenses: false
# (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
local-mod-cache-dir: ''
# (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
search-remote-licenses: false
# (env: SYFT_GOLANG_PROXY)
proxy: ''
# (env: SYFT_GOLANG_NO_PROXY)
no-proxy: ''
java:
# (env: SYFT_JAVA_USE_NETWORK)
use-network: false
# (env: SYFT_JAVA_MAVEN_URL)
maven-url: ''
# (env: SYFT_JAVA_MAX_PARENT_RECURSIVE_DEPTH)
max-parent-recursive-depth: 0
linux-kernel:
# (env: SYFT_LINUX_KERNEL_CATALOG_MODULES)
catalog-modules: true
python:
# (env: SYFT_PYTHON_GUESS_UNPINNED_REQUIREMENTS)
guess-unpinned-requirements: false
file-metadata:
cataloger:
# (env: SYFT_FILE_METADATA_CATALOGER_ENABLED)
enabled: false
# (env: SYFT_FILE_METADATA_CATALOGER_SCOPE)
scope: 'Squashed'
# (env: SYFT_FILE_METADATA_DIGESTS)
digests:
- 'sha256'
file-classification:
cataloger:
# (env: SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED)
enabled: false
# (env: SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE)
scope: 'Squashed'
file-contents:
cataloger:
# (env: SYFT_FILE_CONTENTS_CATALOGER_ENABLED)
enabled: false
# (env: SYFT_FILE_CONTENTS_CATALOGER_SCOPE)
scope: 'Squashed'
# (env: SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE)
skip-files-above-size: 1048576
# (env: SYFT_FILE_CONTENTS_GLOBS)
globs: []
secrets:
cataloger:
# (env: SYFT_SECRETS_CATALOGER_ENABLED)
enabled: false
# (env: SYFT_SECRETS_CATALOGER_SCOPE)
scope: 'AllLayers'
# (env: SYFT_SECRETS_ADDITIONAL_PATTERNS)
additional-patterns: map[]
# (env: SYFT_SECRETS_EXCLUDE_PATTERN_NAMES)
exclude-pattern-names: []
# (env: SYFT_SECRETS_REVEAL_VALUES)
reveal-values: false
# (env: SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE)
skip-files-above-size: 1048576
registry:
# (env: SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
insecure-skip-tls-verify: false
# (env: SYFT_REGISTRY_INSECURE_USE_HTTP)
insecure-use-http: false
auth: []
# (env: SYFT_REGISTRY_CA_CERT)
ca-cert: ''
# exclude paths from being scanned using a glob expression (env: SYFT_EXCLUDE)
exclude: []
# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: SYFT_PLATFORM)
platform: ''
# (env: SYFT_NAME)
name: ''
source:
# set the name of the target being analyzed (env: SYFT_SOURCE_NAME)
name: ''
# set the version of the target being analyzed (env: SYFT_SOURCE_VERSION)
version: ''
file:
# (env: SYFT_SOURCE_FILE_DIGESTS)
digests:
- 'sha256'
# (env: SYFT_PARALLELISM)
parallelism: 1
# (env: SYFT_DEFAULT_IMAGE_PULL_SOURCE)
default-image-pull-source: ''
# base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory (env: SYFT_BASE_PATH)
base-path: ''
# (env: SYFT_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
exclude-binary-overlap-by-ownership: true
log:
# suppress all logging output (env: SYFT_LOG_QUIET)
quiet: false
# increase verbosity (-v = info, -vv = debug) (env: SYFT_LOG_VERBOSITY)
verbosity: 0
# explicitly set the logging level (available: [error warn info debug trace]) (env: SYFT_LOG_LEVEL)
level: warn
# file path to write logs to (env: SYFT_LOG_FILE)
file: ''
dev:
# capture resource profiling data (available: [cpu, mem]) (env: SYFT_DEV_PROFILE)
profile: none
# (env: SYFT_KEY)
key:
# (env: SYFT_PASSWORD)
password:
Config Search Locations:
- .syft.yaml
- .syft/config.yaml
- /root/.syft.yaml
- /root/.config/syft/config.yaml
- /etc/xdg/syft/config.yaml
Available Commands:
attest Generate an SBOM as an attestation for the given [SOURCE] container image
completion Generate the autocompletion script for the specified shell
convert Convert between SBOM formats
help Help about any command
login Log in to a registry
packages Generate a package SBOM
version show version information
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
--catalogers stringArray enable one or more package catalogers
-c, --config string syft configuration file
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
-h, --help help for syft
--name string set the name of the target being analyzed (DEPRECATED: use: source-name)
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
-q, --quiet suppress all logging output
-s, --scope string selection of layers to catalog, options=[squashed all-layers] (default "Squashed")
--source-name string set the name of the target being analyzed
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for syft
Use "syft [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin