Install Syft using the official install script or a package manager, then verify the version with syft version
Generate a CycloneDX JSON SBOM: syft scan <IMAGE>:<TAG> -o cyclonedx-json=sbom-cdx.json; Syft pulls image layers, catalogs all detected packages, and writes the CycloneDX document to sbom-cdx.json
Generate an SPDX JSON SBOM in the same command invocation by adding a second -o flag: syft scan <IMAGE>:<TAG> -o cyclonedx-json=sbom-cdx.json -o spdx-json=sbom-spdx.json
To scan a local directory or filesystem instead of a remote image, replace the image reference with dir:<PATH> or file:<PATH> as the source argument
Review the output for package count and detected ecosystems using cat sbom-cdx.json | jq '.components | length' to confirm the catalog is non-empty before attaching the SBOM to a release
Known gotchas
The -o flag accepts the format specifier optionally followed by = and a file path (e.g., -o cyclonedx-json=out.json); omitting the file path writes to stdout, which is overwritten if multiple -o flags both target stdout
Syft detects packages by examining installed package databases (dpkg, rpm, apk, etc.) and language manifests; binaries compiled without embedded metadata are often not detected — scanning the build context or source directory alongside the image produces more complete results
SPDX and CycloneDX outputs may differ in component count for the same image because the two formats have different rules for representing sub-components and operating-system package relationships
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp