Versions:

1.42.3
1.42.2
1.42.1
1.42.0
1.41.2
1.41.1
1.41.0
1.40.1
1.40.0
1.39.0
1.38.2
1.38.0
1.37.0
1.36.0
1.34.2
1.34.1
1.33.0
1.32.0
1.31.0
1.30.0
1.29.1
1.29.0
1.28.0
1.27.1
1.27.0
1.26.1
1.26.0
1.25.1
1.24.0
1.23.1
1.23.0
1.22.0
1.21.0
1.20.0
1.19.0
1.18.1
1.17.0
v1.16.0

Syft 1.42.3, released by Anchore Inc. as the thirty-eighth iteration in its rapid-evolution series, is a command-line utility and embeddable library whose single purpose is to scan container images or arbitrary filesystem trees and emit a standards-compliant Software Bill of Materials. By parsing every layer of an OCI or Docker archive, or by walking a local directory, the tool inventories installed operating-system packages, language-level modules, and third-party dependencies, then exports the resulting SBOM in CycloneDX, SPDX, or its own JSON format for consumption by security, compliance, and licensing workflows. Security teams embed Syft in CI pipelines to generate baseline SBOMs for golden images, vulnerability-management platforms call it to enrich CVE scans with accurate component lists, and compliance officers rely on its output to satisfy artifact-traceability clauses in regulations such as the U.S. Executive Order on Cybersecurity. Because the same binary can interrogate a live container repo, a tarball, or a developer laptop, the utility fits equally into cloud-native build farms and traditional on-prem packaging environments; scripts frequently pair it with vulnerability scanners so that every build promotion gate is accompanied by an up-to-date bill of materials. The software is available for free on get.nero.com, with downloads provided via trusted Windows package sources (e.g. winget), always delivering the latest version, and supporting batch installation of multiple applications.

Tags:

containers 18

cyclonedx 4

docker 52

go 73

golang 87

hacktoberfest 73

oci 8

sbom 6

spdx 2

static-analysis 11

tool 133