# Install syft with Homebrew, apk, chocolatey, Nix, pacman, scoop, winget, zypper

CLI for generating a Software Bill of Materials from container images. Version 1.46.0 via Homebrew; verified 2026-06-26.

## Install

```sh
sudo av install brew:syft
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install syft
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add syft
```

  Evidence: Alpine Linux edge package indexes: syft from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#syft
```

  Evidence: nixpkgs package indexes: pkgs/by-name/sy/syft/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S syft
```

  Evidence: Arch Linux sync databases: syft from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install syft
```

  Evidence: openSUSE Tumbleweed package metadata: syft from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install syft
```

  Evidence: Chocolatey community package catalog: syft from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','superputty'

- Scoop (92%):

```sh
scoop install main/syft
```

  Evidence: Scoop official bucket manifest trees: bucket/syft.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id Anchore.Syft -e
```

  Evidence: Windows Package Manager source index: Anchore.Syft from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:syft
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/syft>
- **Version:** 1.46.0
- **Source summary:** CLI for generating a Software Bill of Materials from container images
- **Homepage:** <https://github.com/anchore/syft>
- **Repository:** <https://github.com/anchore/syft>
- **Upstream docs:** <https://github.com/anchore/syft/blob/main/README.md>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/anchore/syft/archive/refs/tags/v1.46.0.tar.gz>
- **Last updated:** 2026-06-26T11:02:58Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- syft (cli)
- syft (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.46.0
- Package-manager updated: 2026-06-26
- Local data: ok
- Upstream repository: https://github.com/anchore/syft
- Upstream latest detected: v1.46.0 (current)
## Project history and usage

Syft is Anchore's CLI tool and Go library for generating software bills of materials from container images, filesystems, archives, and related sources. It became a familiar supply-chain-security package because it turns SBOM generation into a one-command workflow with common package-manager distribution.

### Project history

The upstream README describes Syft as an SBOM generator for container images and filesystems and emphasizes use with Anchore's Grype scanner. The project supports many package ecosystems, image formats, and SBOM formats, including CycloneDX, SPDX, and Syft JSON.

### Adoption history

Syft is distributed through Homebrew, Chocolatey, Scoop, winget, Nix, Arch, Alpine, and openSUSE according to the input package facts, and its README points to official installation docs with Homebrew, Docker, Scoop, Chocolatey, Nix, and other methods. The GitHub project page shows a large public repository with thousands of stars and hundreds of forks.

### How it is used

Common usage is to scan a container image, filesystem, or archive and emit an SBOM in a requested format, then feed the result into vulnerability scanning, attestations, or policy workflows. The wiki covers configuration, supported sources, output formats, private registry authentication, templates, multiple outputs, and attestation.

### Why package nerds care

Package nerds care because Syft catalogs package metadata across ecosystems: apk, dpkg, RPM, Go, Python, Java, JavaScript, Ruby, Rust, PHP, .NET, and more. It is both a consumer of package-manager metadata and a package-manager-distributed security tool, which makes it central to modern SBOM and provenance workflows.

### Timeline

- v0.1.0 era: The upstream repository exposes early v0.1.x release tags.
- 2024: The GitHub wiki home page was edited November 1, 2024 and organizes Syft docs around installation, supported sources, output formats, private registry authentication, attestation, and configuration.
- Current README era: The upstream README points new users to official Syft docs and documents supported ecosystems, image formats, and SBOM formats.

### Related projects

- Related Anchore projects include Grype for vulnerability scanning. Related standards and formats include SPDX, CycloneDX, in-toto attestations, OCI/Docker images, and package metadata from many language and OS ecosystems.

### Sources

- <https://github.com/anchore/syft>
- <https://github.com/anchore/syft/blob/main/README.md>
- <https://github.com/anchore/syft/wiki>
- <https://oss.anchore.com/syft/>
- source_facts.executables
- source_facts.package-manager


## Security Notes

broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- broad file, network, media, or database tool signal
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ./.syft.yaml, ./.syft/config.yaml, ~/.syft.yaml, $XDG_CONFIG_HOME/syft/config.yaml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** syft
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - syft: normalized package name match | nixpkgs package indexes: pkgs/by-name/sy/syft/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - syft - 1.42.4-r1: normalized package name match | Alpine Linux edge package indexes: syft from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Generate a Software Bill of Materials (SBOM) from container images and filesystems | https://github.com/anchore/syft
- apk - syft-bash-completion - 1.42.4-r1: normalized package name match | Alpine Linux edge package indexes: syft-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Bash completions for syft | https://github.com/anchore/syft
- apk - syft-fish-completion - 1.42.4-r1: normalized package name match | Alpine Linux edge package indexes: syft-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Fish completions for syft | https://github.com/anchore/syft
- apk - syft-zsh-completion - 1.42.4-r1: normalized package name match | Alpine Linux edge package indexes: syft-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Zsh completions for syft | https://github.com/anchore/syft
- pacman - syft - 1.44.0-1: normalized package name match | Arch Linux sync databases: syft from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | CLI tool and library for generating a Software Bill of Materials from container images and filesystems | https://github.com/anchore/syft
- zypper - syft - 1.45.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: syft from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI tool and library for generating a Software Bill of Materials | https://github.com/anchore/syft
- zypper - syft-bash-completion - 1.45.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: syft-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Bash Completion for syft | https://github.com/anchore/syft
- zypper - syft-fish-completion - 1.45.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: syft-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Fish Completion for syft | https://github.com/anchore/syft
- zypper - syft-zsh-completion - 1.45.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: syft-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Zsh Completion for syft | https://github.com/anchore/syft
- Chocolatey - syft: normalized package name match | Chocolatey community package catalog: syft from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','superputty'
- Scoop - main/syft: normalized package name match | Scoop official bucket manifest trees: bucket/syft.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - Anchore.Syft: normalized package name match | Windows Package Manager source index: Anchore.Syft from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [cdxgen](https://www.automicvault.com/pkg/brew/cdxgen/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [chainloop-cli](https://www.automicvault.com/pkg/brew/chainloop-cli/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [cyclonedx-gomod](https://www.automicvault.com/pkg/brew/cyclonedx-gomod/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [cyclonedx-python](https://www.automicvault.com/pkg/brew/cyclonedx-python/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [phylum-cli](https://www.automicvault.com/pkg/brew/phylum-cli/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [sbom-tool](https://www.automicvault.com/pkg/brew/sbom-tool/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [tern](https://www.automicvault.com/pkg/brew/tern/) - Shares av.db curated category or tags: cli, containers, sbom, security, software-supply-chain.

## Combined YAML source

View the package source record on GitHub. [combined/syft.yml](https://github.com/automic-vault/db/blob/main/combined/syft.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
