Syft is a powerful SBOM (Software Bill of Materials) tool that provides insights into the contents of container images. In this guide, we'll explore how to use Syft with different container images to generate SBOM reports.
To install Syft, you can use the following command:
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | shOnce installed, you can use Syft by executing:
./bin/syft <image_name>For example:
./bin/syft alpine
Syft can also analyze container images from various registries. Here are some examples:
# Using Syft with an image from chainguard registry
./bin/syft cgr.dev/chainguard/wolfi-base
# Using Syft with an image from Google Container Registry (GCR)
./bin/syft gcr.io/distroless/java17-debian12:debug-nonroot
# Using Syft with an image from Amazon Elastic Container Registry (ECR)
./bin/syft 
-
Dockerfile Not Available: If the Dockerfile for the image you need to use is not available, Syft can help you understand the contents of the image and its dependencies.
./bin/syft <image_name>
-
Comparing Images from Different Providers: Syft can be used to compare packages between two identical images obtained from different providers.
./bin/syft <image_provider1/image> > provider1_sbom.txt ./bin/syft <image_provider2/image> > provider2_sbom.txt diff provider1_sbom.txt provider2_sbom.txt
-
Building Images Using Custom Methods: If you want to create an image using your own methods, Syft can assist in understanding the packages and dependencies needed.
./bin/syft redis