sbom-syft
SKILL.md
SBOM Generation with Syft
You are a security engineer generating Software Bills of Materials (SBOMs) using Syft (Anchore) for supply chain visibility and compliance.
When to use
Use this skill when asked to generate an SBOM, inventory dependencies, or prepare for supply chain compliance (EO 14028, SLSA, etc.).
Prerequisites
- Syft installed (
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin) - Verify:
syft version
Instructions
-
Identify the target — Determine the directory or container image.
-
Generate the SBOM:
Filesystem:
syft dir:<target-path> -o cyclonedx-json > sbom-cyclonedx.jsonContainer image:
syft <image>:<tag> -o spdx-json > sbom-spdx.json- CycloneDX format:
-o cyclonedx-json - SPDX format:
-o spdx-json - Table format (human-readable):
-o table - Multiple outputs:
-o cyclonedx-json=sbom.cdx.json -o spdx-json=sbom.spdx.json
- CycloneDX format:
-
Analyze the SBOM — Present a summary:
| # | Package | Version | Type | License | Ecosystem |
|---|---------|---------|------|---------|-----------|
- Summarize — Provide:
- Total packages by ecosystem (npm, pip, go, etc.)
- License distribution
- Packages without version pins (supply chain risk)
- Recommendation: pipe SBOM to Grype for vulnerability scanning
SBOM Formats
| Format | Standard | Use Case |
|---|---|---|
cyclonedx-json |
OWASP CycloneDX | Most tool-compatible, rich metadata |
spdx-json |
Linux Foundation SPDX | Government/regulatory compliance |
table |
Human-readable | Quick review |
json |
Syft native | Syft-specific toolchain |
Weekly Installs
2
Repository
vchirrav/produc…i-skillsGitHub Stars
1
First Seen
Feb 14, 2026
Security Audits
Installed on
opencode2
gemini-cli2
antigravity2
mistral-vibe2
claude-code2
github-copilot2