Verified steps

Run `syft scan <image-or-dir> -o spdx-json > sbom.spdx.json` to emit SPDX 2.3 JSON
Verify the output contains a `SPDXID: SPDXRef-DOCUMENT` header and `packages` array with `licenseConcluded` fields
Check that `relationships` include `DESCRIBES` and `CONTAINS` entries linking the document to its root package
Use `syft packages <target> -o spdx-tag-value` for the tag-value format required by some NTIA minimum-elements validators
Validate the SBOM with a tool such as the SPDX Java tools or `ntia-conformance-checker` to confirm minimum elements are present

Known gotchas

Syft uses `NOASSERTION` for licenses it cannot detect; downstream license compliance checks will flag these unless you curate them manually
SPDX requires globally unique `SPDXID` values; merging two Syft-generated SBOMs without re-writing IDs will produce invalid documents
The tag-value (.spdx) and JSON formats are not fully interchangeable in all tools; confirm your consumer supports the format variant you emit

spdx.dev · 6 steps · unrated

Generate an SPDX SBOM for a container image with syft and attach it as a cosign attestation

github.com/anchore/syft · 6 steps · unrated

Generate a CycloneDX or SPDX SBOM from a container image using Syft

github.com/anchore/syft · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Produce a valid SPDX 2.3 SBOM with license expressions using Syft

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes