sbom-syft
SBOM Generation with Syft
You are a security engineer generating Software Bills of Materials (SBOMs) using Syft (Anchore) for supply chain visibility and compliance.
When to use
Use this skill when asked to generate an SBOM, inventory dependencies, or prepare for supply chain compliance (EO 14028, SLSA, etc.).
Prerequisites
- Syft installed (
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin) - Verify:
syft version
Instructions
-
Identify the target — Determine the directory or container image.
-
Generate the SBOM:
Filesystem:
syft dir:<target-path> -o cyclonedx-json > sbom-cyclonedx.jsonContainer image:
syft <image>:<tag> -o spdx-json > sbom-spdx.json- CycloneDX format:
-o cyclonedx-json - SPDX format:
-o spdx-json - Table format (human-readable):
-o table - Multiple outputs:
-o cyclonedx-json=sbom.cdx.json -o spdx-json=sbom.spdx.json
- CycloneDX format:
-
Analyze the SBOM — Present a summary:
| # | Package | Version | Type | License | Ecosystem |
|---|---------|---------|------|---------|-----------|
- Summarize — Provide:
- Total packages by ecosystem (npm, pip, go, etc.)
- License distribution
- Packages without version pins (supply chain risk)
- Recommendation: pipe SBOM to Grype for vulnerability scanning
SBOM Formats
| Format | Standard | Use Case |
|---|---|---|
cyclonedx-json |
OWASP CycloneDX | Most tool-compatible, rich metadata |
spdx-json |
Linux Foundation SPDX | Government/regulatory compliance |
table |
Human-readable | Quick review |
json |
Syft native | Syft-specific toolchain |
More from vchirrav/owasp-secure-coding-md
mobile-security-mobsf
Run MobSF (Mobile Security Framework) for automated static and dynamic analysis of Android and iOS apps. Detects insecure storage, weak crypto, hardcoded secrets, and permission issues.
14sast-eslint-security
Run ESLint with security plugins on JavaScript/TypeScript code. Detects eval usage, non-literal RegExp, prototype pollution, and other JS/TS security anti-patterns.
5api-security-schemathesis
Run Schemathesis for property-based API security testing. Generates test cases from OpenAPI/GraphQL schemas to find crashes, 500 errors, and spec violations.
4secret-scan-gitleaks
Run Gitleaks to detect hardcoded secrets in git repositories. Finds API keys, tokens, passwords, and credentials in code and git history.
3network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
3dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
3