
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
The Lens
Syft generates a software bill of materials, an SBOM, from your container images and filesystems. That is a full inventory of every package and dependency inside, which is what you need before you can answer are we affected by this new CVE. It's open source, free, and fast.
It's a single Go binary. Point it at an image, a directory, or an archive and it outputs the SBOM in whatever format you need: SPDX, CycloneDX, or its own. It pairs directly with Grype, its sibling scanner, which reads the SBOM and checks it for vulnerabilities. No infrastructure, and it drops straight into CI.
Syft and Grype are free and open source. Anchore, the company behind them, sells Anchore Enterprise: a platform with policy enforcement, a findings database, reporting, and support. Solo and small teams, the CLIs are all you need. Larger orgs with compliance requirements and many images, the enterprise platform adds the governance layer.
The catch: an SBOM is only as good as what the tooling can identify. Packages installed in unusual ways, vendored code, or custom builds can slip through. It catches the standard dependency graph well, so don't assume it sees literally everything in the image.
Free vs Self-Hosted vs Paid
free self hosted paid cloudSelf-hosted (free): Syft under Apache-2.0, a Go binary that generates an SBOM from images, directories, or archives in SPDX, CycloneDX, or native formats. Pairs with Grype for vulnerability scanning. No infrastructure; drops into CI.
Anchore Enterprise (paid): A platform on top of Syft and Grype with policy enforcement, a findings database, reporting, and support.
The call: The CLIs cover solo and small teams completely. Enterprise is the governance layer for orgs with compliance requirements and lots of images.
Free and open source. Anchore Enterprise is the paid platform for policy, tracking, and support.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
About
- Owner
- Anchore, Inc. (Organization)
- Stars
- 9,194
- Forks
- 887
Explore Further
More tools in the directory
openclaw
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
381.5k ★everything-claude-code
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
225.3k ★hermes-agent
The agent that grows with you
208.2k ★