Install syft in your CI environment via the installer script or as a pinned binary download
After building your container image, generate an SPDX SBOM: `syft <image>@<digest> -o spdx-json > sbom.spdx.json`
Review the SBOM for completeness — syft catalogs packages from OS layer package managers (apt, apk, rpm) and language-specific manifests (go.sum, package-lock.json, etc.)
Attach the SBOM as a cosign attestation: `cosign attest --predicate sbom.spdx.json --type spdxjson <image>@<digest>` (requires the same OIDC setup as keyless signing)
Consumers verify and retrieve the attestation with `cosign verify-attestation --type spdxjson <image>@<digest>` and pipe the output for further inspection or policy evaluation with OPA/Rego
Integrate syft SBOM generation into a Grype vulnerability scan step: `grype sbom:sbom.spdx.json` to catch CVEs before pushing
Known gotchas
syft catalogs packages present in the image layers at scan time — build-time dependencies removed from the final image (multi-stage builds) will not appear in the SBOM, which is correct but can surprise auditors expecting a full dependency tree
SBOM completeness depends on package manager metadata being intact in the image; distroless or heavily stripped images may produce sparse SBOMs — use `syft` against the build context as well for a fuller picture
Attaching attestations via cosign increases the number of objects in your registry (attestation manifests are stored as additional tags) — ensure your registry retention policies do not inadvertently prune them
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp