Skip to content

syft

GitHub last commit

Builds a SBOM (Software Build Of Materials) from your repository

syft documentation

syft - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_SYFT_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_SYFT_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
Exclude every file
REPOSITORY_SYFT_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
REPOSITORY_SYFT_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_SYFT_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_SYFT_CONFIG_FILE syft configuration file name
Use LINTER_DEFAULT to let the linter find it
.syft.yaml
REPOSITORY_SYFT_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_SYFT_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_SYFT_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 101 Docker Image Size (tag) Docker Pulls
security Optimized for security 20 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

syft is called once on the whole project directory

  • filtering can not be done using MegaLinter configuration variables,it must be done using syft configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false does not make syft analyze only updated files

Example calls

syft /tmp/lint

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin