{"id":"85f56b64-a21c-4c88-b0b0-872ea6874c3c","task":"Generate a CycloneDX SBOM for a filesystem or source tree using Syft","domain":"anchore.com/syft","steps":["Install Syft via the official install script or package manager for your OS","Run `syft scan dir:/path/to/source -o cyclonedx-json > sbom.cdx.json` to scan a directory and emit CycloneDX JSON","Confirm the output contains `bomFormat: CycloneDX` and a populated `components` array","Optionally set `SYFT_DEFAULT_IMAGE_PULL_SOURCE=registry` to control where Syft resolves image layers when scanning OCI images","Store the SBOM artifact alongside the build outputs for later attestation or ingestion steps"],"gotchas":["Syft's package detection depends on installed package manifests (package-lock.json, go.sum, etc.) being present; a clean source tree without lock files will miss many components","CycloneDX schema version varies by Syft release; downstream tools like Dependency-Track may require a specific schema version, so pin `--output cyclonedx-json@1.5` if needed","Scanning a live container image requires Docker socket access or explicit registry credentials; `--from registry` avoids the need for a local daemon"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/85f56b64-a21c-4c88-b0b0-872ea6874c3c"}