Automic VaultAutomic Vault

brew

Install syft with Homebrew, apk, chocolatey, Nix, pacman, scoop, winget, zypper

CLI for generating a Software Bill of Materials from container images. Version 1.46.0 via Homebrew; verified 2026-06-26.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install syft

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add syft

Alpine Linux edge package indexes · syft · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#syft

nixpkgs package indexes · pkgs/by-name/sy/syft/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S syft

Arch Linux sync databases · syft · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install syft

openSUSE Tumbleweed package metadata · syft · source: download.opensuse.org

overview

Package summary

CLI for generating a Software Bill of Materials from container images

Commands and aliases

  • syft

history

Project history and usage

Syft is Anchore's CLI tool and Go library for generating software bills of materials from container images, filesystems, archives, and related sources. It became a familiar supply-chain-security package because it turns SBOM generation into a one-command workflow with common package-manager distribution.

Project history

The upstream README describes Syft as an SBOM generator for container images and filesystems and emphasizes use with Anchore's Grype scanner. The project supports many package ecosystems, image formats, and SBOM formats, including CycloneDX, SPDX, and Syft JSON.

Adoption history

Syft is distributed through Homebrew, Chocolatey, Scoop, winget, Nix, Arch, Alpine, and openSUSE according to the input package facts, and its README points to official installation docs with Homebrew, Docker, Scoop, Chocolatey, Nix, and other methods. The GitHub project page shows a large public repository with thousands of stars and hundreds of forks.

How it is used

Common usage is to scan a container image, filesystem, or archive and emit an SBOM in a requested format, then feed the result into vulnerability scanning, attestations, or policy workflows. The wiki covers configuration, supported sources, output formats, private registry authentication, templates, multiple outputs, and attestation.

Why package nerds care

Package nerds care because Syft catalogs package metadata across ecosystems: apk, dpkg, RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET, and more. It is both a consumer of package-manager metadata and a package-manager-distributed security tool, which makes it central to modern SBOM and provenance workflows.

Timeline

  • v0.1.0 era: The upstream repository exposes early v0.1.x release tags.
  • 2024: The GitHub wiki home page was edited November 1, 2024 and organizes Syft docs around installation, supported sources, output formats, private registry authentication, attestation, and configuration.
  • Current README era: The upstream README points new users to official Syft docs and documents supported ecosystems, image formats, and SBOM formats.

Related projects

  • Related Anchore projects include Grype for vulnerability scanning. Related standards and formats include SPDX, CycloneDX, in-toto attestations, OCI/Docker images, and package metadata from many language and OS ecosystems.

security posture

Risk level: orange

broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • broad file, network, media, or database tool signal
  • infrastructure mutation or orchestration signal

Signals

  • text:container
  • text:image

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
./.syft.yaml./.syft/config.yaml~/.syft.yaml$XDG_CONFIG_HOME/syft/config.yaml

executables

Installed executables

CommandKindExposureNote
syftcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.46.0
manager updated2026-06-26
local dataok
upstreamcurrent
latest detectedv1.46.0

https://github.com/anchore/syft

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:syft
Version1.46.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/syft
Homepagehttps://github.com/anchore/syft
Repositoryhttps://github.com/anchore/syft
Upstream docshttps://github.com/anchore/syft/blob/main/README.md
LicenseApache-2.0
Source archivehttps://github.com/anchore/syft/archive/refs/tags/v1.46.0.tar.gz
Last updated2026-06-26T11:02:58Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namesyft
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

syft

nix profile install nixpkgs#syft
  • normalized package name match
  • Matched by: Syft
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/sy/syft/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

syft 1.42.4-r1

Generate a Software Bill of Materials (SBOM) from container images and filesystems

https://github.com/anchore/syft

sudo apk add syft
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: syft
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Syft
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: syft from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

syft-bash-completion 1.42.4-r1

Bash completions for syft

https://github.com/anchore/syft

sudo apk add syft-bash-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: syft
  • normalized package name match
  • Matched by: Syft
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: syft-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

syft-fish-completion 1.42.4-r1

Fish completions for syft

https://github.com/anchore/syft

sudo apk add syft-fish-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: syft
  • normalized package name match
  • Matched by: Syft
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: syft-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

syft-zsh-completion 1.42.4-r1

Zsh completions for syft

https://github.com/anchore/syft

sudo apk add syft-zsh-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: syft
  • normalized package name match
  • Matched by: Syft
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: syft-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
pacman95%

syft 1.44.0-1

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

https://github.com/anchore/syft

sudo pacman -S syft
  • License: Apache-2.0
  • Architecture: x86_64
  • 1 dependencies
  • normalized package name match
  • Matched by: Syft
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: syft from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

syft 1.45.0-1.1

CLI tool and library for generating a Software Bill of Materials

https://github.com/anchore/syft

sudo zypper install syft
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: syft
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Syft
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: syft from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

syft-bash-completion 1.45.0-1.1

Bash Completion for syft

https://github.com/anchore/syft

sudo zypper install syft-bash-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: syft
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Syft
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: syft-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

syft-fish-completion 1.45.0-1.1

Fish Completion for syft

https://github.com/anchore/syft

sudo zypper install syft-fish-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: syft
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Syft
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: syft-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

syft-zsh-completion 1.45.0-1.1

Zsh Completion for syft

https://github.com/anchore/syft

sudo zypper install syft-zsh-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: syft
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Syft
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: syft-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
Chocolatey95%

syft

choco install syft
  • normalized package name match
  • Matched by: Syft
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: syft from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','superputty'
Scoop95%

main/syft

scoop install main/syft
  • normalized package name match
  • Matched by: Syft
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/syft.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

Anchore.Syft

winget install --id Anchore.Syft -e
  • normalized package name match
  • Matched by: Syft
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: Anchore.Syft from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment