Run syft <image-reference> -o cyclonedx-json=sbom-v1.cdx.json to generate a CycloneDX SBOM; repeat with -o spdx-json=sbom-v1.spdx.json for an SPDX output from the same image.
Build or pull the successor image, run syft again to produce sbom-v2.cdx.json, ensuring both SBOMs use the same format for comparison.
Use a diff tool such as cyclonedx-cli diff (verify the exact subcommand in current docs) or a JSON diff utility to compare component arrays across the two CycloneDX SBOMs and surface added, removed, or version-changed packages.
Correlate the diffed component changes with a vulnerability database by running grype on the diff output or on the newer SBOM to identify if newly added packages introduce vulnerabilities.
Fail the CI pipeline if unexpected components are added or if components cross a vulnerability severity threshold.
Known gotchas
SBOM component ordering is not guaranteed to be stable across Syft runs on the same image; naive line-by-line diff produces noise — use format-aware diff tools that compare by PURL or component identity.
Syft's component detection accuracy depends on the image contents and the ecosystem; some packages installed via OS package managers without manifests may not be detected.
SPDX and CycloneDX express relationships differently; when comparing SBOMs across formats, convert to a common format first to avoid false drift signals from format differences.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp