InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now. Learn more →
Syft Alternatives
Similar projects and alternatives to syft
-
Grafana
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
Apache Log4j 2
Apache Log4j is a versatile, feature-rich, efficient logging API and backend for Java.
-
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
-
kubescape
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
-
Zabbix
Real-time monitoring of IT components and services, such as networks, servers, VMs, applications and the cloud.
-
-
checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
Sandstorm
Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.
-
-
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
-
-
kube-bench
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
-
-
cdxgen
Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen
-
-
scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
syft discussion
syft reviews and mentions
-
Open Source projects could sell SBoM fragments
Syft (https://github.com/anchore/syft) and ScanCode (https://github.com/aboutcode-org/scancode-toolkit) are good open-source tools to generate SBOMs and search repos for licensing information — I'm curious to hear if there are reasons why those wouldn't work for enterprise purposes.
-
Mastering Docker Image Management with GitHub Actions and Container Registries
Software Bill of Materials (SBOM): Knowing what’s in your software is the new cool. Tools like Syft and Trivy can generate SBOMs as part of your CI/CD pipeline, enhancing supply chain security.
-
Deep Dive 🤿: Where Does Grype Data Come From?
Grype downloads a fresh instance of its vulnerability.db database, then scans the image for specific packages, files, configurations, and so on, building a manifest in the form of a Software Bill of Materials (SBOM) itemizing the software contained in the image. (Under the hood, Grype uses a sister tool, Syft, for this step.)
-
Top 10 SBOM Tools to Inventory Your App Components
1. Syft
-
Ask HN: Pragmatic way to avoid supply chain attacks as a developer
CycloneDX tools offer packages for each and every programming language. [1]
The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]
Container SBOMs can be generated with syft and grype [3] [4]
[1] https://github.com/CycloneDX
[2] https://github.com/DependencyTrack
[3] https://github.com/anchore/syft
[4] https://github.com/anchore/grype
-
Secure Your AI Project With Model Attestation and Software Bill of Materials (SBOMs)
There are various methods and standards for creating AI SBOMs for model attestation. These methods often require you to have some form of SBOM pipeline that extracts relevant information from your project and uses it to generate the SBOM. If you are using container-based technology, you can leverage information from the container images as your SBOM pipeline to create your AI SBOMs. You can directly generate your AI project's SBOMs from Docker container images using Syft.
-
Ask HN: Is there any software you only made for your own use but nobody else?
I can wholeheartedly recommend Syft.[0]
Decoupling SBOM data collection from vulnerability tracking (with your tool of choice) is a nice capability.
0: https://github.com/anchore/syft
-
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.
-
Launch HN: EdgeBit (YC W23) – live software vulnerability analysis
Inside of the SBOMs, we can detect a lot: https://github.com/anchore/syft#supported-ecosystems
You're right that the active/dormant detection needs to be customized per type of runtime. We cover rpm/deb, python and java with the node and others coming very soon. The compiled languages will be our main focus next. For example, Go binaries embed some dependency metadata in the binary itself.
Also related to this effort is the "in-toto" integrity chain: https://in-toto.io/in-toto/ Since we're already connecting build to run, we aim to complete the chain.
-
Building a software bill of materials (SBOM) using open source tools
Installing syft is pretty straight forward. On any Linux/Mac environment you can run the following command to install
-
A note from our sponsor - InfluxDB
www.influxdata.com | 14 May 2025
Stats
anchore/syft is an open source project licensed under Apache License 2.0 which is an OSI approved license.
The primary programming language of syft is Go.
Review ★★★★☆ 8/10