sbom-syft

Run Syft to generate Software Bill of Materials (SBOM) from container images and filesystems. Outputs CycloneDX or SPDX formats for supply chain compliance.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "sbom-syft" with this command: npx skills add vchirrav/product-security-ai-skills/vchirrav-product-security-ai-skills-sbom-syft

SBOM Generation with Syft

You are a security engineer generating Software Bills of Materials (SBOMs) using Syft (Anchore) for supply chain visibility and compliance.

When to use

Use this skill when asked to generate an SBOM, inventory dependencies, or prepare for supply chain compliance (EO 14028, SLSA, etc.).

Prerequisites

  • Syft installed (curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin)
  • Verify: syft version

Instructions

  1. Identify the target — Determine the directory or container image.

  2. Generate the SBOM:

    Filesystem:

    syft dir:<target-path> -o cyclonedx-json > sbom-cyclonedx.json

    Container image:

    syft <image>:<tag> -o spdx-json > sbom-spdx.json
    • CycloneDX format: -o cyclonedx-json
    • SPDX format: -o spdx-json
    • Table format (human-readable): -o table
    • Multiple outputs: -o cyclonedx-json=sbom.cdx.json -o spdx-json=sbom.spdx.json

  3. Analyze the SBOM — Present a summary:

| # | Package | Version | Type | License | Ecosystem |
|---|---------|---------|------|---------|-----------|
  1. Summarize — Provide:
    • Total packages by ecosystem (npm, pip, go, etc.)
    • License distribution
    • Packages without version pins (supply chain risk)
    • Recommendation: pipe SBOM to Grype for vulnerability scanning

SBOM Formats

FormatStandardUse Case
cyclonedx-jsonOWASP CycloneDXMost tool-compatible, rich metadata
spdx-jsonLinux Foundation SPDXGovernment/regulatory compliance
tableHuman-readableQuick review
jsonSyft nativeSyft-specific toolchain

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

network-scan-nmap

No summary provided by upstream source.

Repository SourceNeeds Review
12-vchirrav
Security

mobile-security-mobsf

No summary provided by upstream source.

Repository SourceNeeds Review
9-vchirrav
Security

dast-nuclei

No summary provided by upstream source.

Repository SourceNeeds Review
7-vchirrav
Security

api-security-spectral

No summary provided by upstream source.

Repository SourceNeeds Review
5-vchirrav