macOS
brew install syftlocal Homebrew formula metadata
brew
CLI for generating a Software Bill of Materials from container images. Version 1.46.0 via Homebrew; verified 2026-06-26.
install
brew install syftlocal Homebrew formula metadata
sudo apk add syftAlpine Linux edge package indexes · syft · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#syftnixpkgs package indexes · pkgs/by-name/sy/syft/package.nix · source: api.github.com
sudo pacman -S syftArch Linux sync databases · syft · source: geo.mirror.pkgbuild.com
sudo zypper install syftopenSUSE Tumbleweed package metadata · syft · source: download.opensuse.org
choco install syftChocolatey community package catalog · syft · source: community.chocolatey.org
scoop install main/syftScoop official bucket manifest trees · bucket/syft.json · source: api.github.com
winget install --id Anchore.Syft -eWindows Package Manager source index · Anchore.Syft · source: cdn.winget.microsoft.com
overview
CLI for generating a Software Bill of Materials from container images
history
Syft is Anchore's CLI tool and Go library for generating software bills of materials from container images, filesystems, archives, and related sources. It became a familiar supply-chain-security package because it turns SBOM generation into a one-command workflow with common package-manager distribution.
The upstream README describes Syft as an SBOM generator for container images and filesystems and emphasizes use with Anchore's Grype scanner. The project supports many package ecosystems, image formats, and SBOM formats, including CycloneDX, SPDX, and Syft JSON.
Syft is distributed through Homebrew, Chocolatey, Scoop, winget, Nix, Arch, Alpine, and openSUSE according to the input package facts, and its README points to official installation docs with Homebrew, Docker, Scoop, Chocolatey, Nix, and other methods. The GitHub project page shows a large public repository with thousands of stars and hundreds of forks.
Common usage is to scan a container image, filesystem, or archive and emit an SBOM in a requested format, then feed the result into vulnerability scanning, attestations, or policy workflows. The wiki covers configuration, supported sources, output formats, private registry authentication, templates, multiple outputs, and attestation.
Package nerds care because Syft catalogs package metadata across ecosystems: apk, dpkg, RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET, and more. It is both a consumer of package-manager metadata and a package-manager-distributed security tool, which makes it central to modern SBOM and provenance workflows.
security posture
broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
./.syft.yaml./.syft/config.yaml~/.syft.yaml$XDG_CONFIG_HOME/syft/config.yamlexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
syft | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/anchore/syft
install metadata
| Package key | brew:syft |
|---|---|
| Version | 1.46.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/syft |
| Homepage | https://github.com/anchore/syft |
| Repository | https://github.com/anchore/syft |
| Upstream docs | https://github.com/anchore/syft/blob/main/README.md |
| License | Apache-2.0 |
| Source archive | https://github.com/anchore/syft/archive/refs/tags/v1.46.0.tar.gz |
| Last updated | 2026-06-26T11:02:58Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | syft |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
syft
nix profile install nixpkgs#syftsyft 1.42.4-r1
Generate a Software Bill of Materials (SBOM) from container images and filesystems
https://github.com/anchore/syft
sudo apk add syftsyft-bash-completion 1.42.4-r1
Bash completions for syft
https://github.com/anchore/syft
sudo apk add syft-bash-completionsyft-fish-completion 1.42.4-r1
Fish completions for syft
https://github.com/anchore/syft
sudo apk add syft-fish-completionsyft-zsh-completion 1.42.4-r1
Zsh completions for syft
https://github.com/anchore/syft
sudo apk add syft-zsh-completionsyft 1.44.0-1
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
sudo pacman -S syftsyft 1.45.0-1.1
CLI tool and library for generating a Software Bill of Materials
https://github.com/anchore/syft
sudo zypper install syftsyft-bash-completion 1.45.0-1.1
Bash Completion for syft
https://github.com/anchore/syft
sudo zypper install syft-bash-completionsyft-fish-completion 1.45.0-1.1
Fish Completion for syft
https://github.com/anchore/syft
sudo zypper install syft-fish-completionsyft-zsh-completion 1.45.0-1.1
Zsh Completion for syft
https://github.com/anchore/syft
sudo zypper install syft-zsh-completionsyft
choco install syftmain/syft
scoop install main/syftAnchore.Syft
winget install --id Anchore.Syft -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.