| sitelink1 | https://github.com/anchore/syft |
|---|---|
| sitelink2 | https://github.com/anchore/syft?tab=read...umentation |
| sitelink3 | |
| sitelink4 | |
| extra_vars5 | |
| extra_vars6 |
Syft는 컨테이너 이미지 및 파일 시스템의 소프트웨어 자재 명세서(SBOM)를 생성하는 강력하고 사용하기 쉬운 오픈소스 도구입니다.
소프트웨어의 패키지 및 종속성에 대한 자세한 정보를 제공하여 취약점 관리, 라이선스 준수 및 소프트웨어 공급망 보안을 지원합니다.
* 기능
- binary와 meta file scan, dependency check (SBOM 생성)
- scan file type : binary, java-archive, swift 등등 github의 Supported Ecosystems 항목 참고 (소스 파일 자체를 스캔하는 것이 아님)
* installation
- wsl2(ubuntu) 실행
- mkdir syft
- cd syft
- sitelin1 을 참고하여 syft 설치
* run
- syft 폴더에서 다음과 같이 테스트
- ./syft /mnt/c/Repositories/[저장소] -o spdx-json@2.2=/mnt/c/Users/Syft/[저장소].sbom.spdx@2.2.json
- 자세한 사용 명령은 sitelink2 참고
* ./syft --help 출력 결과
Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems
Usage:
syft [SOURCE] [flags]
syft [command]
Examples:
syft scan alpine:latest a summary of discovered packages
syft scan alpine:latest -o json show all possible cataloging details
syft scan alpine:latest -o cyclonedx show a CycloneDX formatted SBOM
syft scan alpine:latest -o cyclonedx-json show a CycloneDX JSON formatted SBOM
syft scan alpine:latest -o spdx show a SPDX 2.3 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx@2.2 show a SPDX 2.2 Tag-Value formatted SBOM
syft scan alpine:latest -o spdx-json show a SPDX 2.3 JSON formatted SBOM
syft scan alpine:latest -o spdx-json@2.2 show a SPDX 2.2 JSON formatted SBOM
syft scan alpine:latest -vv show verbose debug information
syft scan alpine:latest -o template -t my_format.tmpl show a SBOM formatted according to given template file
Supports the following image sources:
syft scan yourrepo/yourimage:tag defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
syft scan path/to/a/file/or/dir a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory
You can also explicitly specify the scheme to use:
syft scan docker:yourrepo/yourimage:tag explicitly use the Docker daemon
syft scan podman:yourrepo/yourimage:tag explicitly use the Podman daemon
syft scan registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
syft scan docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
syft scan oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
syft scan oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
syft scan singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
syft scan dir:path/to/yourproject read directly from a path on disk (any directory)
syft scan file:path/to/yourproject/file read directly from a path on disk (any single file)
Available Commands:
attest Generate an SBOM as an attestation for the given [SOURCE] container image
cataloger Show available catalogers and configuration
completion Generate the autocompletion script for the specified shell
config show the syft configuration
convert Convert between SBOM formats
help Help about any command
login Log in to a registry
scan Generate an SBOM
version show version information
Flags:
--base-path string base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
-c, --config stringArray syft configuration file(s) to use
--enrich stringArray enable package data enrichment from local and online sources (options: all, golang, java, javascript)
--exclude stringArray exclude paths from being scanned using a glob expression
--file string file to write the default report output to (default is STDOUT) (DEPRECATED: use: --output FORMAT=PATH)
--from stringArray specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
-h, --help help for syft
-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json purls spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
--override-default-catalogers stringArray set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
--parallelism int number of cataloger workers to run in parallel
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--profile stringArray configuration profiles to use
-q, --quiet suppress all logging output
-s, --scope string selection of layers to catalog, options=[squashed all-layers deep-squashed] (default "squashed")
--select-catalogers stringArray add, remove, and filter the catalogers to be used
--source-name string set the name of the target being analyzed
--source-version string set the version of the target being analyzed
-t, --template string specify the path to a Go template file
-v, --verbose count increase verbosity (-v = info, -vv = debug)
--version version for syft
Use "syft [command] --help" for more information about a command.
