{"id":119087,"date":"2026-07-06T10:58:14","date_gmt":"2026-07-06T05:28:14","guid":{"rendered":"https:\/\/www.guvi.in\/blog\/?p=119087"},"modified":"2026-07-06T10:58:16","modified_gmt":"2026-07-06T05:28:16","slug":"sbom-generation-with-syft","status":"publish","type":"post","link":"https:\/\/www.guvi.in\/blog\/sbom-generation-with-syft\/","title":{"rendered":"SBOM Generation with Syft: A Beginner&#8217;s Tutorial"},"content":{"rendered":"\n<p>Do you know every library inside your Docker image right now? Most developers do not. That is exactly the problem a Software Bill of Materials (SBOM) solves. This SBOM generation with Syft tutorial shows you how to create a complete, machine-readable inventory of your software in minutes, scan a project directory, scan a container image, choose the right output format, and automate it in CI\/CD.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>TL;DR Summary<\/strong><\/h2>\n\n\n\n<ul>\n<li>SBOM generation with Syft takes under 5 minutes to set up and gives you a full inventory of every package inside any project or container image.<\/li>\n\n\n\n<li>Syft is a free, open-source tool by Anchore that outputs SBOMs in CycloneDX or SPDX format with a single command.<\/li>\n\n\n\n<li>Use CycloneDX for security-focused workflows. Use SPDX for license compliance.<\/li>\n\n\n\n<li>Once you have an SBOM, pair it with Grype to find known vulnerabilities across every listed component.<\/li>\n\n\n\n<li>SBOM generation is now a legal requirement for software sold to the US federal government and for high-risk AI systems under the EU AI Act.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is an SBOM and Why Does It Matter?<\/strong><\/h2>\n\n\n\n<p>An SBOM is a complete list of every component inside a piece of software including libraries, versions, and licenses. Think of it like a nutritional label for your code.<\/p>\n\n\n\n<p>When Log4Shell hit in 2021, teams scrambled for days just to find out whether they were affected. With an SBOM already generated, that question becomes a five-second search. SBOM generation is now a legal requirement for software sold to US government agencies and for high-risk AI systems under the EU AI Act&#8217;s 2026 deadline.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why Syft for SBOM Generation?<\/strong><\/h2>\n\n\n\n<p>Syft is a dedicated SBOM tool by Anchore, not a scanner that happens to produce SBOMs as a side effect. It works across container images, filesystem directories, and over 30 language ecosystems including Go, Java, Python, JavaScript, Rust, and .NET. It outputs both CycloneDX and SPDX as a single binary with no runtime dependencies.<\/p>\n\n\n\n<p>Supply chain security and DevSecOps are among the fastest-growing skill areas in 2026. HCL GUVI&#8217;s<a href=\"https:\/\/www.guvi.in\/zen-class\/devops-course\/?utm_source=blog&amp;utm_medium=hyperlink&amp;utm_campaign=sbom-generation-with-syft-tutorial\" target=\"_blank\" rel=\"noreferrer noopener\"> DevOps Course<\/a> covers CI\/CD pipelines, Docker, container security, and automation with real-world projects and NSDC certification.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SBOM Generation with Syft: Installation<\/strong><\/h2>\n\n\n\n<ul>\n<li><strong>macOS:<\/strong> <strong>brew install syft<\/strong><\/li>\n\n\n\n<li><strong>Linux:<\/strong> <strong>curl -sSfL https:\/\/raw.githubusercontent.com\/anchore\/syft\/main\/install.sh | sh -s &#8212; -b \/usr\/local\/bin<\/strong><\/li>\n\n\n\n<li><strong>Docker:<\/strong> <strong>docker pull anchore\/syft:latest<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Confirm with <strong>syft version<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Scanning a Directory<\/strong><\/h2>\n\n\n\n<p>Navigate to your project and run:<\/p>\n\n\n\n<p><strong>syft scan dir:. -o cyclonedx-json=sbom.json<\/strong><\/p>\n\n\n\n<p>Syft reads your manifest files (package.json, requirements.txt, pom.xml, go.sum) and writes a CycloneDX SBOM to sbom.json. Check it worked with <strong>jq &#8216;.components | length&#8217; sbom.json<\/strong>. Any number above zero confirms real components were found.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Scanning a Container Image<\/strong><\/h2>\n\n\n\n<p>SBOM generation with Syft shines on container images because it inspects layers a directory scan would miss.<\/p>\n\n\n\n<p><strong>syft scan nginx:latest -o cyclonedx-json=nginx-sbom.json<\/strong><\/p>\n\n\n\n<p><strong>syft scan myapp:latest -o spdx-json=myapp-sbom.spdx.json<\/strong><\/p>\n\n\n\n<p>Syft works with images from registries, tarballs, the <a href=\"https:\/\/www.guvi.in\/blog\/what-is-docker-in-devops\/\" target=\"_blank\" rel=\"noreferrer noopener\">Docker<\/a> daemon, and OCI archives produced by Skopeo.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>CycloneDX vs SPDX: Which Format to Use?<\/strong><\/h2>\n\n\n\n<p>Both are widely supported standards. The choice depends on what you are doing with the SBOM.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Format<\/strong><\/td><td><strong>Best For<\/strong><\/td><td><strong>Maintained By<\/strong><\/td><\/tr><tr><td>CycloneDX<\/td><td>Security, vulnerability management, VEX<\/td><td>OWASP Foundation<\/td><\/tr><tr><td>SPDX<\/td><td>License compliance, software supply chain audits<\/td><td>Linux Foundation<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Choose CycloneDX for security-focused use cases and SPDX for license compliance focus. For EU CRA compliance via BSI TR-03183-2, you need CycloneDX 1.6 or later, or SPDX 3.0.1 or later.<\/p>\n\n\n\n<p>If in doubt, generate both at once:<\/p>\n\n\n\n<p><strong>syft scan dir:. -o cyclonedx-json=sbom.cdx.json -o spdx-json=sbom.spdx.json<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Adding SBOM Generation to GitHub Actions<\/strong><\/h2>\n\n\n\n<p>Automating SBOM generation with Syft on every release is the highest-value step in this whole workflow. Add this to <strong>.github\/workflows\/sbom.yml<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>name: Generate SBOM\non:\n  push:\n    branches: &#91;main]\njobs:\n  sbom:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n      - name: Generate SBOM\n        uses: anchore\/sbom-action@v0\n        with:\n          path: .\n          format: cyclonedx-json\n          output-file: sbom.json\n      - uses: actions\/upload-artifact@v4\n        with:\n          name: sbom\n          path: sbom.json\n<\/code><\/pre>\n\n\n\n<p>This approach handles generation and uploads the SBOM as a release artifact automatically, with no manual steps required after merging.<\/p>\n\n\n\n<div style=\"background-color: #099f4e; border: 3px solid #110053; border-radius: 12px; padding: 18px 22px; color: #FFFFFF; font-size: 18px; font-family: Montserrat, Helvetica, sans-serif; line-height: 1.6; box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15); max-width: 750px; margin: 22px auto;\">\n  <h3 style=\"margin-top: 0; font-size: 22px; font-weight: 700; color: #ffffff;\">\ud83d\udca1 Did You Know?<\/h3>\n  <ul style=\"padding-left: 20px; margin: 10px 0;\">\n    <li>In March 2026, Trivy was compromised in a coordinated supply chain attack that cascaded into downstream projects. The security community responded by recommending Syft as the primary alternative for SBOM generation in CI\/CD pipelines. This is a strong reminder that the tool you use for supply chain security must itself be trusted.<\/li>\n  <\/ul>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common Mistakes to Avoid<\/strong><\/h2>\n\n\n\n<ul>\n<li><strong>Scanning before installing dependencies.<\/strong> Syft reads manifest files and lock files. If you scan a JavaScript project before running npm install, the node_modules folder does not exist and Syft will generate an incomplete SBOM. Always run your package manager first.<\/li>\n\n\n\n<li><strong>Generating an SBOM and then never using it.<\/strong> An SBOM sitting in a folder does nothing. Pair it with Grype by running <strong>grype sbom:sbom.json<\/strong> to scan it for known vulnerabilities immediately after generation.<\/li>\n\n\n\n<li><strong>Only scanning source directories, not container images.<\/strong> Your Docker image often contains packages from the base image that never appear in your source manifests. Always scan the final container image for a complete picture.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>SBOM generation with Syft gives you a complete, machine-readable inventory of every component in your project or container image in a single command. Use CycloneDX for security workflows, SPDX for compliance, or generate both. Automate it in GitHub Actions so every release ships with an SBOM as a built artifact. Then scan it with Grype to catch vulnerabilities before they reach production.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>FAQs<\/strong><\/h2>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1782389031181\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>1. What is SBOM generation with Syft?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Using Syft&#8217;s CLI to create a machine-readable inventory of every package inside a project directory or container image in CycloneDX or SPDX format.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782389053371\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>2. Is Syft free?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes. Syft is fully open-source under Apache 2.0 with no paid tier required.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782389077467\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>3. What formats does Syft output?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>CycloneDX JSON, CycloneDX XML, SPDX JSON, SPDX tag-value, and native Syft JSON. Generate multiple formats in one command with multiple <strong>-o<\/strong> flags.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782389097224\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>4. What is the difference between CycloneDX and SPDX?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>CycloneDX is optimised for security and vulnerability workflows. SPDX is optimised for license compliance and supply chain audits.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1782389114246\" class=\"rank-math-list-item\">\n<h3 class=\"rank-math-question \"><strong>5. Can Syft scan private container images?<\/strong><\/h3>\n<div class=\"rank-math-answer \">\n\n<p>Yes. Syft reads credentials from your Docker config or environment variables, the same way your Docker CLI authenticates.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Do you know every library inside your Docker image right now? Most developers do not. That is exactly the problem a Software Bill of Materials (SBOM) solves. This SBOM generation with Syft tutorial shows you how to create a complete, machine-readable inventory of your software in minutes, scan a project directory, scan a container image, [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":120934,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[621],"tags":[],"views":"50","authorinfo":{"name":"Jebasta","url":"https:\/\/www.guvi.in\/blog\/author\/jebasta\/"},"thumbnailURL":"https:\/\/www.guvi.in\/blog\/wp-content\/uploads\/2026\/07\/SBOM-Generation-with-Syft-300x116.webp","_links":{"self":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/119087"}],"collection":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/comments?post=119087"}],"version-history":[{"count":2,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/119087\/revisions"}],"predecessor-version":[{"id":120939,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/posts\/119087\/revisions\/120939"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/media\/120934"}],"wp:attachment":[{"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/media?parent=119087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/categories?post=119087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.guvi.in\/blog\/wp-json\/wp\/v2\/tags?post=119087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}