syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems (by anchore)

Syft Alternatives

Similar projects and alternatives to syft

  1. Grafana

    443 syft VS Grafana

    The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.

  2. InfluxDB

    InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

    InfluxDB logo
  3. Apache Log4j 2

    Apache Log4j is a versatile, feature-rich, efficient logging API and backend for Java.

  4. trivy

    95 syft VS trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

  5. kubescape

    Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.

  6. Zabbix

    73 syft VS Zabbix

    Real-time monitoring of IT components and services, such as networks, servers, VMs, applications and the cloud.

  7. grype

    61 syft VS grype

    A vulnerability scanner for container images and filesystems

  8. checkov

    61 syft VS checkov

    Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

  9. SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  10. Sandstorm

    54 syft VS Sandstorm

    Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.

  11. falco

    47 syft VS falco

    Cloud Native Runtime Security

  12. Kyverno

    42 syft VS Kyverno

    Cloud Native Policy Management

  13. lunasec

    37 syft VS lunasec

    LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

  14. cosign

    35 syft VS cosign

    Code signing and transparency for containers and binaries

  15. clair

    23 syft VS clair

    Vulnerability Static Analysis for Containers

  16. kube-bench

    Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

  17. dependency-track

    Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

  18. cargo-auditable

    Make production Rust binaries auditable

  19. kube-hunter

    10 syft VS kube-hunter

    Hunt for security weaknesses in Kubernetes clusters

  20. cdxgen

    3 syft VS cdxgen

    Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen

  21. JaCoCo

    7 syft VS JaCoCo

    :microscope: Java Code Coverage Library

  22. scancode-toolkit

    :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

  23. SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better syft alternative or higher similarity.

syft discussion

Log in or Post with
  1. User avatar
    2e228427
    · 11 months ago
    · Reply

    Review ★★★★☆ 8/10

syft reviews and mentions

Posts with mentions or reviews of syft. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2025-02-17.
  • Open Source projects could sell SBoM fragments
    3 projects | news.ycombinator.com | 17 Feb 2025
    Syft (https://github.com/anchore/syft) and ScanCode (https://github.com/aboutcode-org/scancode-toolkit) are good open-source tools to generate SBOMs and search repos for licensing information — I'm curious to hear if there are reasons why those wouldn't work for enterprise purposes.
  • Mastering Docker Image Management with GitHub Actions and Container Registries
    2 projects | dev.to | 27 Jan 2025
    Software Bill of Materials (SBOM): Knowing what’s in your software is the new cool. Tools like Syft and Trivy can generate SBOMs as part of your CI/CD pipeline, enhancing supply chain security.
  • Deep Dive 🤿: Where Does Grype Data Come From?
    5 projects | dev.to | 12 Nov 2024
    Grype downloads a fresh instance of its vulnerability.db database, then scans the image for specific packages, files, configurations, and so on, building a manifest in the form of a Software Bill of Materials (SBOM) itemizing the software contained in the image. (Under the hood, Grype uses a sister tool, Syft, for this step.)
  • Top 10 SBOM Tools to Inventory Your App Components
    3 projects | dev.to | 15 Oct 2024
    1. Syft
  • Ask HN: Pragmatic way to avoid supply chain attacks as a developer
    3 projects | news.ycombinator.com | 17 Aug 2024
    CycloneDX tools offer packages for each and every programming language. [1]

    The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]

    Container SBOMs can be generated with syft and grype [3] [4]

    [1] https://github.com/CycloneDX

    [2] https://github.com/DependencyTrack

    [3] https://github.com/anchore/syft

    [4] https://github.com/anchore/grype

  • Secure Your AI Project With Model Attestation and Software Bill of Materials (SBOMs)
    2 projects | dev.to | 8 Aug 2024
    There are various methods and standards for creating AI SBOMs for model attestation. These methods often require you to have some form of SBOM pipeline that extracts relevant information from your project and uses it to generate the SBOM. If you are using container-based technology, you can leverage information from the container images as your SBOM pipeline to create your AI SBOMs. You can directly generate your AI project's SBOMs from Docker container images using Syft.
  • Ask HN: Is there any software you only made for your own use but nobody else?
    65 projects | news.ycombinator.com | 4 Jul 2024
    I can wholeheartedly recommend Syft.[0]

    Decoupling SBOM data collection from vulnerability tracking (with your tool of choice) is a nice capability.

    0: https://github.com/anchore/syft

  • An Overview of Kubernetes Security Projects at KubeCon Europe 2023
    17 projects | dev.to | 22 May 2023
    Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.
  • Launch HN: EdgeBit (YC W23) – live software vulnerability analysis
    3 projects | news.ycombinator.com | 1 Mar 2023
    Inside of the SBOMs, we can detect a lot: https://github.com/anchore/syft#supported-ecosystems

    You're right that the active/dormant detection needs to be customized per type of runtime. We cover rpm/deb, python and java with the node and others coming very soon. The compiled languages will be our main focus next. For example, Go binaries embed some dependency metadata in the binary itself.

    Also related to this effort is the "in-toto" integrity chain: https://in-toto.io/in-toto/ Since we're already connecting build to run, we aim to complete the chain.

  • Building a software bill of materials (SBOM) using open source tools
    1 project | dev.to | 1 Feb 2023
    Installing syft is pretty straight forward. On any Linux/Mac environment you can run the following command to install
  • A note from our sponsor - InfluxDB
    www.influxdata.com | 14 May 2025
    InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now. Learn more →

Stats

Basic syft repo stats
39
6,956
9.8
1 day ago

anchore/syft is an open source project licensed under Apache License 2.0 which is an OSI approved license.

The primary programming language of syft is Go.


Sponsored
InfluxDB – Built for High-Performance Time Series Workloads
InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
www.influxdata.com