What does HackerNews think of syft?

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Language: Go

#35 in Docker
#42 in Go
#29 in Go
#93 in Hacktoberfest
Launch HN: EdgeBit (YC W23) – live software vulnerability analysis | Mar 2023
I'm curious to hear what tools folks are using for generating software bill of materials (SBOMs) today? We're huge fans of the Syft project: https://github.com/anchore/syft

You can read more about our "realtime SBOM" concept as well: https://edgebit.io/blog/realtime-sbom/

Ask HN: Open-source SBOM generation tools? | Jul 2022
Currently the best one I know of is https://github.com/anchore/syft. It finds most dependencies even within built artifacts.

You can also check out the comments in https://news.ycombinator.com/item?id=32104805 - the release announcement of Salus (Microsoft)

Microsoft open sources Salus software bill of materials (SBOM) generation tool | Jul 2022
https://github.com/anchore/syft is an easier to use alternative. Just point it at a container image, path or archive and it will generate the SBOM for you.

Salus seems to be more flexible - you can also feed the sources and the package manager files into it. I guess the results could be more accurate.

Microsoft open sources Salus software bill of materials (SBOM) generation tool | Jul 2022
Expand Context ↕
The one I have used is https://github.com/anchore/syft
Python utility for tracking third party dependencies within a library | May 2022
You can use Syft [1] which generates the full software bill of materials, which includes package names, licenses for a broad set of tech stack ranging from OS level (Alpine, Debian), through Go, Ruby, Python, Java, JavaScript, etc.

[1] https://github.com/anchore/syft

Log4Shell Log4j vulnerability (CVE-2021-44228) – cheat-sheet reference guide | Dec 2021
Expand Context ↕
Ed: linked as "infoworld article" in TFA.

This article[1] probably seems like a bit of convenient self-promotion from Anchore - but the two tools grype and syft

https://github.com/anchore/grype

https://github.com/anchore/syft

Turned out to be very helpful in easily looking through folders, installed services (in particular an installed mobile device manager running on windows) and container images.

[1] https://www.infoworld.com/article/3644492/how-to-detect-the-...

Submitted to hn as: https://news.ycombinator.com/item?id=29543589 in case there's more discussion of tooling that might fit there.
How to detect the Log4j vulnerability in your applications | Dec 2021
This article probably seems like a bit of convenient self-promotion from Anchore - but the two tools grype and syft

https://github.com/anchore/grype

https://github.com/anchore/syft

Turned out to be very helpful in easily looking through folders, installed services (in particular an installed mobile device manager running on windows) and container images.

Kubescape – tool for testing if Kubernetes is deployed securely | Sep 2021
Expand Context ↕
For materials you can use syft https://github.com/anchore/syft