Skip to main content
Hong Kong
AIMenta
S

Syft

by Anchore

Open-source Software Bill of Materials generator from Anchore that produces CycloneDX and SPDX SBOMs from container images, filesystems, and source code for APAC supply chain transparency and compliance requirements.

Visit Syft (opens in new tab) Get a recommendation
AIMenta verdict
Recommended
5/5

"Syft is the open-source SBOM generator from Anchore — produces CycloneDX and SPDX software bills of materials from container images and filesystems for APAC supply chain compliance. Best for APAC organisations building software supply chain attestation and SBOM audit workflows."

Features
7
Use cases
4
Watch outs
4
What it does

Key features

  • Multi-format SBOM output — CycloneDX 1.4, SPDX 2.3, and Syft JSON for APAC compliance requirements
  • Broad package cataloguing — OS packages, Python, Node.js, Java, Go, Ruby, PHP, Rust dependency extraction
  • Go binary analysis — embedded module metadata extraction from compiled Go binaries without source code
  • Cosign attestation — sign and store SBOMs as OCI attestations alongside container images in Harbor/ECR/GCR
  • Grype integration — Syft SBOMs as input to Grype vulnerability scanning without re-pulling images
  • Licence inventory — package licence metadata included in SBOM output for APAC legal compliance review
  • Source code scanning — SBOM generation from source repositories in addition to built container images
When to reach for it

Best for

  • APAC organisations required to produce SBOMs for government procurement, enterprise contractual requirements, or regulatory compliance
  • DevSecOps teams implementing software supply chain attestation with Cosign-signed SBOMs stored alongside container images
  • APAC security teams building vulnerability management workflows using Syft for SBOM generation and Grype for CVE scanning
  • Platform engineering teams wanting automated SBOM generation as a CI/CD pipeline step in APAC software delivery
Don't get burned

Limitations to know

  • ! Syft generates SBOMs but does not perform vulnerability scanning — pair with Grype or Trivy for CVE matching against Syft-generated SBOMs
  • ! SBOM completeness depends on package metadata quality — APAC images built without package manager metadata (manual file copies) may have incomplete inventories
  • ! Syft is a cataloguing tool, not a policy enforcement tool — APAC teams needing SBOM-gated deployment policies require Anchore Enterprise or additional admission controller tooling
  • ! SBOM attestation verification workflows require Cosign and OCI registry support — APAC teams using registries without OCI artifact support need alternative attestation storage
Context

About Syft

Syft is an open-source Software Bill of Materials (SBOM) generation tool developed by Anchore that provides APAC security engineering, compliance, and DevSecOps teams with machine-readable inventories of all packages, libraries, and dependencies within container images, filesystems, and source code repositories — producing SBOMs in industry-standard CycloneDX and SPDX formats that satisfy APAC government procurement SBOM requirements and enterprise software supply chain audit workflows.

Syft's package cataloguing — which extracts package metadata from OS package databases (Alpine apk, Debian dpkg, Red Hat rpm), language-specific package files (Python requirements.txt/pyproject.toml, Node.js package.json/package-lock.json, Java pom.xml/build.gradle/JAR manifests, Go go.sum/go.mod and embedded binary metadata, Ruby Gemfile.lock, PHP composer.lock, Rust Cargo.lock), and binary analysis of Go-compiled binaries with embedded module metadata — produces comprehensive component inventories across the polyglot APAC microservice architectures that enterprise software delivery teams maintain.

Syft's SBOM output formats — CycloneDX 1.4+ (XML and JSON), SPDX 2.3 (tag-value and JSON), GitHub's dependency graph format, Syft's native JSON format, and table output — enable APAC organisations to produce SBOMs in the format required by their specific compliance framework, customer contractual requirement, or vulnerability scanning pipeline. CycloneDX is the preferred format for vulnerability management workflows (pairing with Grype); SPDX is preferred for licence compliance and legal team review.

Syft's Cosign and in-toto attestation integration — where SBOMs generated by Syft can be signed with Cosign and stored as OCI attestations alongside container images in OCI-compatible registries (Harbor, ECR, GCR, ACR) — enables APAC platform engineering teams to implement software supply chain attestation where every container image has a cryptographically signed SBOM that downstream consumers can verify. This attestation model addresses APAC enterprise and government procurement requirements for verifiable software supply chain transparency.

Syft's Kubernetes and CI/CD integration — available as a GitHub Actions action, a Tekton task, and a standalone binary compatible with any CI runner — enables APAC engineering teams to generate SBOMs at image build time as a routine pipeline step, archiving SBOMs alongside build artifacts in artifact repositories (JFrog Artifactory, Harbor) for post-deployment compliance and incident response workflows.

Beyond this tool

Where this category meets practice depth.

A tool only matters in context. Browse the service pillars that operationalise it, the industries where it ships, and the Asian markets where AIMenta runs adoption programs.

Or browse All tools · Encyclopedia · Case studies · Rankings