MCPcopy Index your code
hub / github.com/anchore/syft

github.com/anchore/syft @v1.46.0 sqlite

repository ↗ · DeepWiki ↗ · release v1.46.0 ↗
5,995 symbols 27,200 edges 1,161 files 1,545 documented · 26% 3 cross-repo links
README
<img src="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png" width="271" alt="Cute pink owl syft logo">

Syft

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

 Validations   Go Report Card   GitHub release   GitHub go.mod Go version   License: Apache-2.0   Join our Discourse   Follow on Mastodon 

syft-demo

Features

[!TIP] New to Syft? Check out the Getting Started guide for a walkthrough!

Installation

The quickest way to get up and going:

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

[!TIP] See Installation docs for more ways to get Syft, including Homebrew, Docker, Scoop, Chocolatey, Nix, and more!

The basics

See the packages within a container image or directory:

# container image
syft alpine:latest

# directory
syft ./my-project

To get an SBOM, specify one or more output formats:

# SBOM to stdout
syft <image> -o cyclonedx-json

# Multiple SBOMs to files
syft <image> -o spdx-json=./spdx.json -o cyclonedx-json=./cdx.json

[!TIP] Check out the Getting Started guide to explore all of the capabilities and features.

Want to know all of the ins-and-outs of Syft? Check out the CLI docs, configuration docs, and JSON schema.

Contributing

We encourage users to help make these tools better by submitting issues when you find a bug or want a new feature. Check out our contributing overview and developer-specific documentation if you are interested in providing code contributions.

Syft development is sponsored by Anchore, and is released under the Apache-2.0 License. The Syft logo by Anchore is licensed under CC BY 4.0

For commercial support options with Syft or Grype, please contact Anchore.

Come talk to us!

The Syft Team holds regular community meetings online. All are welcome to join to bring topics for discussion. - Check the calendar for the next meeting date. - Add items to the agenda (join this group for write access to the agenda) - See you there!

Extension points exported contracts — how you extend this code

Writer (Interface)
Writer an interface to write SBOMs to a destination [9 implementers]
syft/sbom/writer.go
FileOwner (Interface)
FileOwner is the interface that wraps OwnedFiles method. OwnedFiles returns a list of files that a piece of package Met [10 …
syft/pkg/file_owner.go
ContentResolver (Interface)
ContentResolver knows how to get file content for a given Location [15 implementers]
syft/file/resolver.go
Provider (Interface)
Provider is able to resolve a source request [5 implementers]
syft/source/provider.go
Identifiable (Interface)
(no doc) [20 implementers]
syft/artifact/id.go
Task (Interface)
Task is a function that can wrap a cataloger to populate the SBOM with data (coordinated through the mutex). [3 implementers]
internal/task/task.go
Manager (Interface)
Manager is responsible for managing cache data and instantiating all caches [2 implementers]
internal/cache/cache.go
Builder (Interface)
integrity check Builder provides a simple facade for simple additions to the SBOM [1 implementers]
internal/sbomsync/builder.go

Core symbols most depended-on inside this repo

NewLocation
called by 503
syft/file/location.go
NewLocationSet
called by 479
syft/file/location_set.go
NewLicenseSet
called by 282
syft/pkg/license_set.go
newTokenSelection
called by 207
internal/task/selection.go
WithFields
called by 205
internal/log/log.go
Contains
called by 182
syft/file/location_set.go
FileContentsVersionMatcher
called by 173
syft/pkg/cataloger/internal/binutils/classifier.go
SetID
called by 172
syft/pkg/package.go

Shape

Function 3,714
Method 1,310
Struct 816
TypeAlias 75
Interface 37
FuncType 28
Class 15

Languages

Go99%
Python1%
Java1%

Modules by API surface

syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go48 symbols
syft/internal/fileresolver/unindexed_directory.go45 symbols
syft/format/common/spdxhelpers/to_syft_model_v3.go40 symbols
internal/capabilities/generate/merge.go40 symbols
syft/internal/fileresolver/filetree_resolver_test.go38 symbols
syft/pkg/cataloger/java/archive_parser.go35 symbols
syft/format/common/spdxhelpers/to_syft_model.go35 symbols
syft/pkg/cataloger/internal/pe/pe.go34 symbols
syft/create_sbom_config.go34 symbols
syft/pkg/cataloger/python/testdata/setup/dynamic-setup.py31 symbols
syft/pkg/cataloger/java/internal/maven/resolver.go31 symbols
cmd/syft/internal/commands/cataloger_info.go31 symbols

Used by 3 indexed graphs manifest dependencies, hub-wide

Dependencies from manifests, versioned

//github.com/ignore/thisv9.9.9 · 1×
cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/monitoringv1.24.3 · 1×
cloud.google.com/go/storagev1.61.3 · 1×
dario.cat/mergov1.0.2 · 1×
github.com/CycloneDX/cyclonedx-gov0.11.0 · 1×

Datastores touched

(mysql)Database · 1 repos

For agents

$ claude mcp add syft \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact