syft 命令

常用示例

说明

syft is a CLI tool for generating Software Bill of Materials (SBOM) from container images and filesystems. It identifies packages, libraries, and dependencies across multiple ecosystems. Supported ecosystems include container images (Docker, OCI, Podman, Singularity), programming languages (Java, Python, JavaScript, Ruby, Go, Rust, .NET), and Linux distributions (Alpine, Debian, RHEL, and more). Output formats include industry standards like CycloneDX and SPDX for compliance requirements, as well as native formats for integration with Anchore tools. Generated SBOMs can be used with vulnerability scanners like Grype.

参数

-o, --output _format_

Output format: syft-table, syft-json, cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, github-json.

-s, --scope _scope_

Layer selection: squashed (default), all-layers, deep-squashed.

--platform _platform_

Platform for container images (e.g., linux/arm64).

--source-name _name_

Set name of target being analyzed.

--source-version _version_

Set version of target being analyzed.

--file _path_

Write output to file instead of stdout.

--from _source_

Explicitly specify the source type (e.g., docker, registry, dir).

-t, --template _file_

Path to Go template file for custom output.

-q, --quiet

Suppress all logging output.

-v, --verbose

Increase verbosity (-v = info, -vv = debug).

--select-catalogers _list_

Add, remove, and filter catalogers.

--exclude _glob_

Exclude paths from scanning (can be repeated).

-c, --config _file_

Path to configuration file.

-h, --help

Display help information.

--version

Display version information.