Skip to content
All features

Syft

SBOM generator covering 25+ ecosystems.

Syft is the SBOM tool that powers Grype, but on its own it's the source of truth for what's inside an image. HarborGuard stores Syft output as the canonical SBOM record per scan, exports it in CycloneDX or SPDX format on demand, and indexes packages for cross-image dependency search.

What it scans

  • OS packages (deb, rpm, apk, alpm)
  • Language ecosystems (npm, yarn, pip, poetry, pipenv, conda, RubyGems, Maven, Gradle, NuGet, Cargo, Go modules, Hex, Composer, dart, swift)
  • Binary fingerprints (Go, Rust, Java)

When to use it

  • Compliance evidence — SBOM exports are required for SOC 2, FedRAMP, and CMMC.
  • Supply-chain visibility — dependency search across all scanned images.
  • Pair with Grype for dual scanning without re-extracting layers.

How HarborGuard runs Syft

01

SBOMs stored alongside scan rows; downloadable from the report page.

02

Dependency search indexes Syft output to power /dashboard/dependencies.

03

Compliance packs consume SBOMs as the evidence source for control SI-2.

Output formats

CycloneDX-JSON, CycloneDX-XML, SPDX-JSON, SPDX-Tag-Value, Syft-JSON

Upstream

anchore/syft