Install Syft via the official script: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin, or via Homebrew.
Generate a CycloneDX JSON SBOM from a remote image: syft docker.io/org/image:tag -o cyclonedx-json > sbom.cdx.json.
Scan a local filesystem or directory instead of an image: syft dir:./myapp -o cyclonedx-json > app-sbom.cdx.json.
Embed the SBOM generation step in your CI pipeline immediately after the image build step, capturing the digest-tagged image reference to ensure the SBOM corresponds to the exact built image.
Feed the generated SBOM into a vulnerability scanner (e.g., Grype) or sign it as an OCI attestation with cosign attest for supply-chain provenance.
Known gotchas
Syft scans package manager metadata (lock files, manifests) present in the image layers; languages that compile to native binaries without embedded metadata (C, C++) yield fewer detected packages.
Always generate the SBOM from the digest-pinned image reference rather than a tag to ensure the SBOM matches the exact image layers that were built.
Syft output schemas for CycloneDX and SPDX versions change with releases; pin the Syft version in CI to avoid schema drift breaking downstream consumers.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp