Syft is an open-source command line tool used to analyze container images and filesystems to generate a Software Bill of Materials (SBOM). An SBOM is a comprehensive list of all software components, libraries, and dependencies in a project, image, or filesystem. This tutorial shows how to install Syft on Ubuntu 24.04.
Install Syft
Check the latest release version tag for Syft and assign it to a variable:
SYFT_VERSION=$(curl -s "https://api.github.com/repos/anchore/syft/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')Download Syft archive from GitHub releases page:
wget -qO syft.tar.gz https://github.com/anchore/syft/releases/latest/download/syft_${SYFT_VERSION}_linux_amd64.tar.gzExtract executable to the /usr/local/bin directory:
sudo tar xf syft.tar.gz -C /usr/local/bin syftWe can check Syft version as follows:
syft --versionRemove no longer needed file:
rm -rf syft.tar.gzTesting Syft
To use Syft to generate an SBOM from a Docker image, you can run the command:
syft ubuntu:latestThis command analyzes the Docker image, scanning its contents to identify all software packages and dependencies within the image. The command then generates an SBOM, listing details like package names, versions, and metadata.
Output example:
✔ Parsed image sha256:61b2756d6f4...0ae67b9e1
✔ Cataloged contents 74f92a6b358...4389035aa
├── ✔ Packages [91 packages]
├── ✔ File digests [2,041 files]
├── ✔ File metadata [2,041 locations]
└── ✔ Executables [722 executables]
NAME VERSION TYPE
apt 2.7.14build2 deb
base-files 13ubuntu10.1 deb
base-passwd 3.6.3build1 deb
bash 5.2.21-2ubuntu4 deb
bsdutils 1:2.39.3-9ubuntu6.1 deb
coreutils 9.4-3ubuntu6 deb
dash 0.5.12-6ubuntu5 deb
debconf 1.5.86ubuntu1 deb
...Uninstall Syft
To uninstall Syft, remove its associated file:
sudo rm -rf /usr/local/bin/syftRemove Syft cache:
rm -rf ~/.cache/syft
Leave a Comment
Cancel reply