Generate SBOMs for Container Images using Syft

In my previous post, I wrote about software bill of materials (or SBOMs) and how they are becoming increasingly important for software supply chain security. I did, however, only make a passing reference to the generation of SBOMs, whether as a standalone exercise or as part of a CI/CD pipeline. In this post, I'll show how you can easily generate SBOMs using an open-source tool, Syft.

What is Syft?

Syft, developed by Anchore, is a CLI tool that generates a comprehensive SBOM from container images and filesystems. It can be run as part of a CI/CD pipeline, and uncovers direct and transitive dependencies. It outputs SBOMs in JSON as well as SPDX and CycloneDX formats for compatibility with downstream tools. Syft can also create signed attestations using sigstore, making SBOMs immensely more valuable in securing the supply chain (if you trust the producer of an image and the producer can attest that they created the corresponding SBOM, you can rest assured that the SBOM is accurate and has not been tampered with).

Syft and Cosign integration for SBOM attestation (source: Anchore)

Install Syft on a DigitalOcean Droplet

I'm going to use DigitalOcean for this guide; if you don't have an account, sign up here - you’ll receive a $200, 60-day credit as soon as you add a valid payment method to your account. Set up your team and project, create a basic droplet (2GB RAM / 1 CPU, Ubuntu 20.04 image), set the data center region, an authentication option (root password for now) and the hostname. Click Create Droplet.

Once the droplet is ready, select it and launch the Droplet Console as root from the menu options. Run the following commands to update the Ubuntu instance, and install the Syft package.

# Update the package metadata and packages to the latest versions
apt-get update && apt-get dist-upgrade

# Download and install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# Validate Syft was installed correctly
syft version

If you want to install Syft on your Macbook instead, run the following commands.

# Install Syft using Homebrew (assumes Homebrew is installed)
brew tap anchore/syft
brew install syft

Generate SBOMs for Container Images

To generate an SBOM for a container image, simply run syft <image>. Here is sample output for the alpine:latest package.

SBOM for alpine:latest package

By default, the output only includes software components in the final layer of the container; to include software from all layers, run syft --scope all-layers <image> instead.

Syft can generate SBOMs from Podman, tar archives, or OCI registry - see the full list of sources here. To generate the output in JSON format use the -o spdx-json flag, or use -o cyclonedx-xml for the CycloneDX format.

To make things seamless for developers, Anchore and Docker have collaborated to release a simple operation called docker sbom in Docker Desktop. Built upon Syft, this allows Docker users to generate SBOMs for container images easily using the native Docker CLI. To integrate Syft with your GitHub-based workflows, you can use the sbom-action GitHub Action.