Syft
CLI and library for generating SBOMs (SPDX, CycloneDX) from images, directories, and archives.
Why it is included
FOSS backbone for supply-chain transparency mandates paired with Grype/Trivy.
Best for
SBOM generation in build jobs and artifact registries.
Strengths
- Formats
- SPDX/CycloneDX
- CI-friendly
Limitations
- SBOM quality follows discovery depth
Good alternatives
Trivy SBOM mode · bom tools
Related tools
Security & Privacy
Grype
Vulnerability scanner for container images and filesystems using Anchore’s vulnerability DB and Syft SBOM input.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
Dependency-Track
Continuous SBOM analysis platform tracking component vulnerabilities, policies, and audit trails for supply chain risk.
Security & Privacy
Wazuh
Open security platform combining SIEM, XDR, file integrity monitoring, and compliance checks across endpoints and cloud.
Security & Privacy
Lynis
Host-based security auditing for Unix: misconfigurations, packages, SSH, kernel hardening hints.
Security & Privacy
Falco
Cloud-native runtime security for Linux/Kubernetes: syscall and K8s audit rules with Falcoctl and ecosystem outputs.