syft

OfficialAgent-readyInfraSecurity

SBOMs, package inventory, and supply chain from the terminal.

The official CLI from Anchore. SBOMs, package inventory, and supply chain from the terminal. Supports structured output — good for scripts and agents.

Task fit

sboms, package inventory, and supply chain from the terminal.

Lane

Work with Kubernetes, Terraform, containers, and ops tooling with more confidence.

Operator brief

Use syft for sboms, package inventory, and supply chain from the terminal.

Run `syft dir:.` and see what comes back.

Repository family

Anchore

First trust check

syft responds locally and is ready for the first real command.

Safe first loop

Install, verify, then run one real command.

Infra inspection loop

Install command

$ brew install syft

Operator pack

Copy or export the working notes for this CLI before handing it to an agent.

Verify

$ syft --version

syft responds locally and is ready for the first real command.

First real command

$ syft dir:.

First steps

01Install syft.
02Run `syft --version` first.
03Start with `syft dir:.`.
04Install the infra CLI and verify kubeconfig, Docker context, or cloud credentials.

When to use / hold off when

Best for

sboms, package inventory, and supply chain from the terminal.

Use this when

You want security scanning you can script with structured output.

Hold off when

You don't work with security scanning.

Trust and constraints

automation-ready100/100

OfficialInstall readyAutomation-ready

JSON outputYes

Non-interactiveYes

CI-friendlyYes

Why operators pick it

syft fits infra well, especially for sboms, package inventory, and supply chain from the terminal.
It is the official CLI from Anchore.
Good for scripts and agents.

Constraints