syft
Builds a SBOM (Software Build Of Materials) from your repository
syft documentation
- Visit Official Web Site
Configuration in MegaLinter
- Enable syft by adding
REPOSITORY_SYFT
in ENABLE_LINTERS variable - Disable syft by adding
REPOSITORY_SYFT
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_SYFT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_SYFT_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
Exclude every file |
REPOSITORY_SYFT_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
REPOSITORY_SYFT_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_SYFT_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_SYFT_CONFIG_FILE | syft configuration file nameUse LINTER_DEFAULT to let the linter find it |
.syft.yaml |
REPOSITORY_SYFT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_SYFT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_SYFT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 101 | ||
security | Optimized for security | 20 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
syft is called once on the whole project directory
- filtering can not be done using MegaLinter configuration variables,it must be done using syft configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
does not make syft analyze only updated files
Example calls
syft /tmp/lint
Installation on mega-linter Docker image
- Dockerfile commands :
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin