SBOM Generation with Syft: A Beginner’s Tutorial
Jul 06, 2026 3 Min Read 50 Views
(Last Updated)
Do you know every library inside your Docker image right now? Most developers do not. That is exactly the problem a Software Bill of Materials (SBOM) solves. This SBOM generation with Syft tutorial shows you how to create a complete, machine-readable inventory of your software in minutes, scan a project directory, scan a container image, choose the right output format, and automate it in CI/CD.
Table of contents
- TL;DR Summary
- What is an SBOM and Why Does It Matter?
- Why Syft for SBOM Generation?
- SBOM Generation with Syft: Installation
- Scanning a Directory
- Scanning a Container Image
- CycloneDX vs SPDX: Which Format to Use?
- Adding SBOM Generation to GitHub Actions
- 💡 Did You Know?
- Common Mistakes to Avoid
- Conclusion
- FAQs
- What is SBOM generation with Syft?
- Is Syft free?
- What formats does Syft output?
- What is the difference between CycloneDX and SPDX?
- Can Syft scan private container images?
TL;DR Summary
- SBOM generation with Syft takes under 5 minutes to set up and gives you a full inventory of every package inside any project or container image.
- Syft is a free, open-source tool by Anchore that outputs SBOMs in CycloneDX or SPDX format with a single command.
- Use CycloneDX for security-focused workflows. Use SPDX for license compliance.
- Once you have an SBOM, pair it with Grype to find known vulnerabilities across every listed component.
- SBOM generation is now a legal requirement for software sold to the US federal government and for high-risk AI systems under the EU AI Act.
What is an SBOM and Why Does It Matter?
An SBOM is a complete list of every component inside a piece of software including libraries, versions, and licenses. Think of it like a nutritional label for your code.
When Log4Shell hit in 2021, teams scrambled for days just to find out whether they were affected. With an SBOM already generated, that question becomes a five-second search. SBOM generation is now a legal requirement for software sold to US government agencies and for high-risk AI systems under the EU AI Act’s 2026 deadline.
Why Syft for SBOM Generation?
Syft is a dedicated SBOM tool by Anchore, not a scanner that happens to produce SBOMs as a side effect. It works across container images, filesystem directories, and over 30 language ecosystems including Go, Java, Python, JavaScript, Rust, and .NET. It outputs both CycloneDX and SPDX as a single binary with no runtime dependencies.
Supply chain security and DevSecOps are among the fastest-growing skill areas in 2026. HCL GUVI’s DevOps Course covers CI/CD pipelines, Docker, container security, and automation with real-world projects and NSDC certification.
SBOM Generation with Syft: Installation
- macOS: brew install syft
- Linux: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s — -b /usr/local/bin
- Docker: docker pull anchore/syft:latest
Confirm with syft version.
Scanning a Directory
Navigate to your project and run:
syft scan dir:. -o cyclonedx-json=sbom.json
Syft reads your manifest files (package.json, requirements.txt, pom.xml, go.sum) and writes a CycloneDX SBOM to sbom.json. Check it worked with jq ‘.components | length’ sbom.json. Any number above zero confirms real components were found.
Scanning a Container Image
SBOM generation with Syft shines on container images because it inspects layers a directory scan would miss.
syft scan nginx:latest -o cyclonedx-json=nginx-sbom.json
syft scan myapp:latest -o spdx-json=myapp-sbom.spdx.json
Syft works with images from registries, tarballs, the Docker daemon, and OCI archives produced by Skopeo.
CycloneDX vs SPDX: Which Format to Use?
Both are widely supported standards. The choice depends on what you are doing with the SBOM.
| Format | Best For | Maintained By |
| CycloneDX | Security, vulnerability management, VEX | OWASP Foundation |
| SPDX | License compliance, software supply chain audits | Linux Foundation |
Choose CycloneDX for security-focused use cases and SPDX for license compliance focus. For EU CRA compliance via BSI TR-03183-2, you need CycloneDX 1.6 or later, or SPDX 3.0.1 or later.
If in doubt, generate both at once:
syft scan dir:. -o cyclonedx-json=sbom.cdx.json -o spdx-json=sbom.spdx.json
Adding SBOM Generation to GitHub Actions
Automating SBOM generation with Syft on every release is the highest-value step in this whole workflow. Add this to .github/workflows/sbom.yml:
name: Generate SBOM
on:
push:
branches: [main]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
path: .
format: cyclonedx-json
output-file: sbom.json
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
This approach handles generation and uploads the SBOM as a release artifact automatically, with no manual steps required after merging.
💡 Did You Know?
- In March 2026, Trivy was compromised in a coordinated supply chain attack that cascaded into downstream projects. The security community responded by recommending Syft as the primary alternative for SBOM generation in CI/CD pipelines. This is a strong reminder that the tool you use for supply chain security must itself be trusted.
Common Mistakes to Avoid
- Scanning before installing dependencies. Syft reads manifest files and lock files. If you scan a JavaScript project before running npm install, the node_modules folder does not exist and Syft will generate an incomplete SBOM. Always run your package manager first.
- Generating an SBOM and then never using it. An SBOM sitting in a folder does nothing. Pair it with Grype by running grype sbom:sbom.json to scan it for known vulnerabilities immediately after generation.
- Only scanning source directories, not container images. Your Docker image often contains packages from the base image that never appear in your source manifests. Always scan the final container image for a complete picture.
Conclusion
SBOM generation with Syft gives you a complete, machine-readable inventory of every component in your project or container image in a single command. Use CycloneDX for security workflows, SPDX for compliance, or generate both. Automate it in GitHub Actions so every release ships with an SBOM as a built artifact. Then scan it with Grype to catch vulnerabilities before they reach production.
FAQs
1. What is SBOM generation with Syft?
Using Syft’s CLI to create a machine-readable inventory of every package inside a project directory or container image in CycloneDX or SPDX format.
2. Is Syft free?
Yes. Syft is fully open-source under Apache 2.0 with no paid tier required.
3. What formats does Syft output?
CycloneDX JSON, CycloneDX XML, SPDX JSON, SPDX tag-value, and native Syft JSON. Generate multiple formats in one command with multiple -o flags.
4. What is the difference between CycloneDX and SPDX?
CycloneDX is optimised for security and vulnerability workflows. SPDX is optimised for license compliance and supply chain audits.
5. Can Syft scan private container images?
Yes. Syft reads credentials from your Docker config or environment variables, the same way your Docker CLI authenticates.



Did you enjoy this article?