← all formulae

syft

brew install syft v1.45.1 Apache-2.0

Go CLI tool that generates Software Bill of Materials (SBOM) from container images and filesystems.

Why you might care

Syft creates comprehensive SBOMs in standard formats (SPDX, CycloneDX) from Docker images and OCI artifacts, enabling vulnerability scanning and supply-chain security checks. Works seamlessly with Grype for discovering known CVEs in dependencies. Essential for DevSecOps pipelines and compliance workflows requiring artifact provenance.

Categories

container-runtime security scanner sbom

Alternatives

grype trivy cyclonedx-go

2.6k

30-day installs · #851

8.8k

90-day · #862

32.0k

365-day · #860

9.1k

★ GitHub stars · updated 1d ago

Build dependencies

go

GitHub topics

containers cyclonedx docker go golang hacktoberfest oci sbom spdx static-analysis tool

Links

Blurb generated by claude-haiku-4-5 on today.

Raw metadata

{
  "aliases": [],
  "alternatives": [
    "grype",
    "trivy",
    "cyclonedx-go"
  ],
  "build_dependencies": [
    "go"
  ],
  "categories": [
    "container-runtime",
    "security",
    "scanner",
    "sbom"
  ],
  "caveats": null,
  "conflicts_with": [],
  "dependencies": [],
  "deprecated": 0,
  "deprecation_reason": null,
  "desc": "CLI for generating a Software Bill of Materials from container images",
  "disable_reason": null,
  "disabled": 0,
  "enrichment_fetched_at": "2026-06-20T23:41:09+00:00",
  "first_seen": "2026-06-20T23:34:18+00:00",
  "full_name": "syft",
  "github_default_branch": "main",
  "github_last_commit_at": "2026-06-19T13:15:29Z",
  "github_readme_excerpt": "\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png\" width=\"271\" alt=\"Cute pink owl syft logo\"\u003e\n\u003c/p\u003e\n\n# Syft\n\n**A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like [Grype](https://github.com/anchore/grype).**\n\n\u003cp align=\"center\"\u003e\n \u0026nbsp;\u003ca href=\"https://github.com/anchore/syft/actions/workflows/validations.yaml\" target=\"_blank\"\u003e\u003cimg alt=\"Validations\" src=\"https://github.com/anchore/syft/actions/workflows/validations.yaml/badge.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://goreportcard.com/report/github.com/anchore/syft\" target=\"_blank\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/anchore/syft\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://github.com/anchore/syft/releases/latest\" target=\"_blank\"\u003e\u003cimg alt=\"GitHub release\" src=\"https://img.shields.io/github/release/anchore/syft.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://github.com/anchore/syft\" target=\"_blank\"\u003e\u003cimg alt=\"GitHub go.mod Go version\" src=\"https://img.shields.io/github/go-mod/go-version/anchore/syft.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"\" target=\"_blank\"\u003e\u003cimg alt=\"License: Apache-2.0\" src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg\"\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca href=\"https://anchore.com/discourse\" target=\"_blank\"\u003e\u003cimg alt=\"Join our Discourse\" src=\"https://img.shields.io/badge/Discourse-Join-blue?logo=discourse\"/\u003e\u003c/a\u003e\u0026nbsp;\n \u0026nbsp;\u003ca rel=\"me\" href=\"https://fosstodon.org/@syft\"\u003e\u003cimg alt=\"Follow on Mastodon\" src=\"https://img.shields.io/badge/Mastodon-Follow-blue?logoColor=white\u0026logo=mastodon\"/\u003e\u003c/a\u003e\u0026nbsp;\n\u003c/p\u003e\n\n![syft-demo](https://user-images.githubusercontent.com/590471/90277200-2a253000-de33-11ea-893f-32c219eea11a.gif)\n\n## Features\n\n- Generates SBOMs for **container images**, **filesystems**, **archives** (see the docs for a full list of [supported scan targets](https://oss.anchore.com/do",
  "github_repo": "anchore/syft",
  "github_stars": 9144,
  "github_topics": [
    "containers",
    "cyclonedx",
    "docker",
    "go",
    "golang",
    "hacktoberfest",
    "oci",
    "sbom",
    "spdx",
    "static-analysis",
    "tool"
  ],
  "homepage": "https://github.com/anchore/syft",
  "homepage_og_description": null,
  "homepage_og_image": null,
  "homepage_title": null,
  "installs_30d": 2623,
  "installs_365d": 31953,
  "installs_90d": 8757,
  "keg_only": 0,
  "keg_only_reason": null,
  "last_seen": "2026-06-20T23:34:18+00:00",
  "license": "Apache-2.0",
  "llm_generated_at": "2026-06-20T23:47:26+00:00",
  "llm_model": "claude-haiku-4-5",
  "name": "syft",
  "oldnames": [],
  "one_liner": "Go CLI tool that generates Software Bill of Materials (SBOM) from container images and filesystems.",
  "optional_dependencies": [],
  "rank_30d": 851,
  "rank_365d": 860,
  "rank_90d": 862,
  "raw_hash": "d8c927bfd21eef27",
  "recommended_dependencies": [],
  "revision": 0,
  "ruby_source_path": "Formula/s/syft.rb",
  "tap": "homebrew/core",
  "test_dependencies": [],
  "uses_from_macos": [],
  "version_head": "HEAD",
  "version_stable": "1.45.1",
  "versioned_formulae": [],
  "why_use_this": "Syft creates comprehensive SBOMs in standard formats (SPDX, CycloneDX) from Docker images and OCI artifacts, enabling vulnerability scanning and supply-chain security checks. Works seamlessly with Grype for discovering known CVEs in dependencies. Essential for DevSecOps pipelines and compliance workflows requiring artifact provenance."
}