Syft SBOM Generator

Core Workflows

Workflow 1: Container Image SBOM Generation

For creating SBOMs of container images:

1. Identify target container image (local or registry)
2. Run Syft to generate SBOM:

   syft <image-name:tag> -o cyclonedx-json=sbom-cyclonedx.json
   

3. Optionally generate multiple formats:

   syft <image-name:tag> \
     -o cyclonedx-json=sbom-cyclonedx.json \
     -o spdx-json=sbom-spdx.json \
     -o syft-json=sbom-syft.json
   

4. Store SBOM artifacts with image for traceability
5. Use SBOM for vulnerability scanning with Grype or other tools
6. Track SBOM versions alongside image releases

Workflow 2: CI/CD Pipeline Integration

Progress: [ ] 1. Add Syft to build pipeline after image creation [ ] 2. Generate SBOM in standard format (CycloneDX or SPDX) [ ] 3. Store SBOM as build artifact [ ] 4. Scan SBOM for vulnerabilities (using Grype or similar) [ ] 5. Fail build on critical vulnerabilities or license violations [ ] 6. Publish SBOM alongside container image [ ] 7. Integrate with vulnerability management platform

Work through each step systematically. Check off completed items.

Workflow 3: Filesystem and Application Scanning

For generating SBOMs from source code or filesystems:

1. Navigate to project root or specify path
2. Scan directory structure:

   syft dir:/path/to/project -o cyclonedx-json=app-sbom.json
   

3. Review detected packages and dependencies
4. Validate package detection accuracy (check for false positives/negatives)
5. Configure exclusions if needed (using .syft.yaml)
6. Generate SBOM for each release version
7. Track dependency changes between versions

Workflow 4: SBOM Analysis and Vulnerability Scanning

Combining SBOM generation with vulnerability assessment:

1. Generate SBOM with Syft:

   syft <target> -o cyclonedx-json=sbom.json
   

2. Scan SBOM for vulnerabilities using Grype:

   grype sbom:sbom.json -o json --file vulnerabilities.json
   

3. Review vulnerability findings by severity
4. Filter by exploitability and fix availability
5. Prioritize remediation based on:
   • CVSS score
   • Active exploitation status
   • Fix availability
   • Dependency depth
6. Update dependencies and regenerate SBOM
7. Re-scan to verify vulnerability remediation

Workflow 5: Signed SBOM Attestation

For creating cryptographically signed SBOM attestations:

1. Install cosign (for signing):

   # macOS
   brew install cosign
   
   # Linux
   wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
   chmod +x cosign-linux-amd64
   mv cosign-linux-amd64 /usr/local/bin/cosign
   

2. Generate SBOM:

   syft <image> -o cyclonedx-json=sbom.json
   

3. Create attestation and sign:

   cosign attest --predicate sbom.json --type cyclonedx <image>
   

4. Verify attestation:

   cosign verify-attestation --type cyclonedx <image>
   

5. Store signature alongside SBOM for provenance verification

Output Formats

Syft supports multiple SBOM formats for different use cases:

Specify with -o flag:

syft <target> -o cyclonedx-json=output.json

Configuration

Create .syft.yaml in project root or home directory:

# Cataloger configuration