← SCA Tools Feed
Syft
コンテナイメージとファイルシステム向けSBOM生成ツール。
基本情報
機能
機能
対応
コンテナスキャン
✅
言語/ライブラリスキャン
✅
SBOM生成
✅
ポリシー評価
❌
IaCスキャン
❌
シークレット検出
❌
ライセンススキャン
✅
ビルドツールプラグイン
❌
APIサーバー
❌
SSH無エージェントスキャン
❌
ダッシュボード
❌
集中管理
❌
機能一覧の情報源: 公式ドキュメント
リリース履歴
情報源: https://github.com/anchore/syft/releases
v1.46.0 — 2026-06-26 bugfix
v1.46.0
Added Features
Add purl types to cataloger info cmd [PR #4984 @wagoodman]
Python cataloger misses uv PEP 723 script lockfiles (*.py.lock) [Issue #4949 ] [PR #4950 @ktopcuoglu]
Add bin classifier for Elastic agen [Issue #4973 ] [PR #4968 @rezmoss]
SPDX 3 Support [Issue #4250 ] [PR #4269 @kzantow]
Add Deno support [Issue #4417 ] [PR #4523 @rezmoss]
Catalog Elastic Beats binary [Issue #4961 ] [PR #4969 @rezmoss]
Add binary classifiers for Elastic Beats [Issue #4972 ] [PR #4969 @rezmoss]
Catalog elastic-agent binary [Issue #4962 ]
Add support for Bun lockfile (bun.lock) [Issue #4617 ] [PR #4625 @hnnynh]
Add .bpl file support to the PE / DLL cataloger [Issue #4664 ] [PR #4954 @jfjrh2014]
Bug Fixes
respect arch qualifier [PR #4987 @willmurphyscode]
Preserve dependency edges when a compliance stub changes a package ID [PR #4993 @wagoodman]
Support envoy binary various versions [Issue #4590 ] [PR #4605 @rezmoss]
.net deps.json cataloger shows phantom pkgs for reference assembly library entries [Issue #4970 ] [PR #4971 @rezmoss]
Syft does not extract package licenses from opkg manager [Issue #4940 ] [PR #4963 @Dashtid]
squashfs breaks with godisk-fs 1.8.0 [Issue #4718 ]
requirements.txt cataloger silently drops PEP 440 local version identifiers, producing incorrect PURL [Issue #4958 ] [PR #4959 @kzantow]
Dependencies
34 dependency changes (31 updated, 3 added). 5 vulnerabilities remediated.
🟢 Remediated (5)
Updated (31 packages)
- github.com/ProtonMail/go-crypto `v1.4.0` → `v1.4.1`
- github.com/anchore/bubbly `v0.2.0` → `v0.2.1`
- github.com/anchore/clio `v0.1.0` → `v0.1.1`
- github.com/anchore/fangs `v0.1.0` → `v0.1.1`
- github.com/anchore/go-collections `v0.1.0` → `v0.1.1`
- github.com/anchore/go-homedir `v0.1.0` → `v0.1.1`
- github.com/anchore/go-logger `v0.1.0` → `v0.1.1`
- github.com/anchore/go-lzo `v0.1.0` → `v0.1.1`
- github.com/anchore/go-macholibre `v0.1.0` → `v0.1.1`
- github.com/anchore/go-make `v0.5.0` → `v0.8.0`
- github.com/anchore/go-struct-converter `v0.1.0` → `v0.2.0-rc2`
- github.com/anchore/go-sync `v0.1.0` → `v0.1.1`
- github.com/anchore/stereoscope `v0.2.1` → `v0.2.2`
- github.com/charmbracelet/colorprofile `v0.4.1` → `v0.4.3`
- github.com/clipperhouse/displaywidth `v0.10.0` → `v0.11.0`
- github.com/clipperhouse/uax29/v2 `v2.6.0` → `v2.7.0`
- github.com/containerd/containerd/v2 `v2.3.1` → `v2.3.2` **(🟢 remediated [GHSA-33vj-92qq-66hc](https://github.com/advisories/GHSA-33vj-92qq-66hc), [GHSA-cvxm-645q-p574](https://github.com/advisories/GHSA-cvxm-645q-p574), [GHSA-jpcc-p29g-p8mq](https://github.com/advisories/GHSA-jpcc-p29g-p8mq), [GHSA-rgh6-rfwx-v388](https://github.com/advisories/GHSA-rgh6-rfwx-v388), [GHSA-xhf5-7wjv-pqxp](https://github.com/advisories/GHSA-xhf5-7wjv-pqxp))**
- github.com/docker/cli `v29.4.3+incompatible` → `v29.5.3+incompatible`
- github.com/google/go-containerregistry `v0.21.6` → `v0.21.7`
- github.com/jedib0t/go-pretty/v6 `v6.7.10` → `v6.8.1`
- github.com/mattn/go-runewidth `v0.0.19` → `v0.0.21`
- github.com/spdx/tools-golang `v0.5.7` → `v0.6.0-rc4`
- github.com/sylabs/sif/v2 `v2.24.0` → `v2.24.1`
- golang.org/x/crypto `v0.52.0` → `v0.53.0`
- golang.org/x/mod `v0.36.0` → `v0.37.0`
- golang.org/x/net `v0.55.0` → `v0.56.0`
- golang.org/x/sync `v0.20.0` → `v0.21.0`
- golang.org/x/sys `v0.45.0` → `v0.46.0`
- golang.org/x/term `v0.43.0` → `v0.44.0`
- golang.org/x/text `v0.37.0` → `v0.38.0`
- golang.org/x/tools `v0.45.0` → `v0.46.0`
Added (3 packages)
- github.com/piprate/json-gold `v0.7.0`
- github.com/pquerna/cachecontrol `v0.0.0-1555304`
- github.com/tailscale/hujson `v0.0.0-ecc657c`
(Full Changelog)
v1.45.1 — 2026-06-05 bugfix
v1.45.1
Bug Fixes
bump stereoscope to pull in fix for registry client hanging [#4934 @anchore-oss-update-bot]
(Full Changelog)
v1.45.0 — 2026-06-02 bugfix
v1.45.0
Added Features
Add support for ZapAddOns as jar files [#4654 #4932 @douglasclarke]
MySQL binary classifier should distinguish between MySQL Cluster (ndb) and MySQL [#3297 #4907 @witchcraze]
Catalog ingress-nginx binary [#4818 #4857 @witchcraze]
Bug Fixes
Support helm binary various versions [#4820 #4922 @witchcraze]
Support julia binary various versions [#4867 #4945 @witchcraze]
Support deno binary old versions [#4865 #4939 @witchcraze]
Compressed kernel modules are not scanned by the linux-kernel-cataloger [#4721 #4740 @will-bates11]
Yarn Berry lockfile parser incorrectly deduplicates packages with multiple resolutions [#4691 #4838 @calumleslie]
Possible misdetection of AWS-LC as OpenSSL 1.1.1 [#4539 #4882 @witchcraze]
Support elixir binary rc versions [#4819 #4851 @ChrisJr404]
Exclude path ending with a slash are discarded [#4839 #4892 @ChrisJr404]
Incorrect CPE for .NET Runtime [#4738 #4743 @PGrayCS]
fix parsing of debian/copyright files [#4708 #4754 @Bahtya]
Grype ignores python requirements in arbitrary equality (===) format [#4834 #4835 @cyphercodes]
valkey is detected as both of valkey and redis [#4591 #4619 @witchcraze]
TypeByName missing "nuget" case causes UnknownPkg when reading SPDX SBOMs [#4837 #4848 @ChrisJr404]
Additional Changes
hoist name normalization regexp to package level [#4926 @matiasinsaurralde]
bump the actions-minor-patch group across 1 directory with 6 updates [#4946 @dependabot]
bump the actions-minor-patch group across 2 directories with 2 updates [#4936 @dependabot]
bump the actions-minor-patch group across 1 directory with 4 updates [#4927 @dependabot]
bump the actions-minor-patch group across 1 directory with 2 updates [#4920 @dependabot]
bump the actions-minor-patch group across 1 directory with 2 updates [#4897 @dependabot]
update CPE dictionary index [#4831 @anchore-oss-update-bot]
(Full Changelog)
v1.44.0 — 2026-05-01 bugfix
v1.44.0
Added Features
Add support for linux-riscv64 [#4757 @luhenry]
Bug Fixes
Yarn lockfile cataloguing does not handle aliases [#4833 #4836 @cyphercodes]
Some snippet files are saved in the previous test directory [#4829 #4830 @witchcraze]
empty rockspec causes index out of range [#4824 #4827 @aki1770-del]
PE cataloger shows asp.net core ref assemblies using fileversion build stamp instead of productversion [#4813 #4814 @rezmoss]
Syft safeCopy silently swallows archive decompression errors [#4806 #4807 @SAY-5]
(Full Changelog)
v1.43.0 — 2026-04-22 bugfix
v1.43.0
Added Features
added deno bin classifiers [#4677 @rezmoss]
Support haskell old versions [#3237 #4793 @witchcraze]
Add support for OpenLDAP binary detection [#4768 #4755 @nadimz]
Support erlang ols versions [#3235 #4766 @witchcraze]
Bug Fixes
improve redhat-release parsing fallback for RHEL clones [#4808 @westonsteimel]
fix format string in search results struct [#4775 @willmurphyscode]
prevent infinite recursion in Document.UnmarshalJSON with encoding/json/v2 [#4748 @benja-M-1]
Syft can not complete scanning golang image [#4686 ]
javascript-package-cataloger drops entire package.json when authors/contributors/maintainers is a single string [#4778 #4779 @yoav-orca]
pnpm lock file cataloger produces unstable output [#4648 #4765 @lawrence3699]
Linux Kernel bzImage and zImage not cataloged by linux-kernel-cataloger [#4769 #4751 @nadimz]
Support istio binary (pilot-discovery, pilot-agent) alpha,beta,rc,dev version [#4546 #4645 @witchcraze]
Scanning mounted ISO: duplicate entries [#4759 ]
Additional Changes
update CPE dictionary index [#4767 @anchore-oss-update-bot]
(Full Changelog)
v1.42.4 — 2026-04-08 bugfix
v1.42.4
Bug Fixes
Similar Packages Should Be Aggregated [#1162 ]
Support arangodb binary recent version [#4571 #4662 @witchcraze]
Support go binary various versions [#4687 #4694 @kzantow]
Additional Changes
update CPE dictionary index [#4745 @anchore-oss-update-bot]
update CPE dictionary index [#4726 @anchore-oss-update-bot]
Add a trust boundary section [#4716 @joshbressers]
(Full Changelog)
v1.42.3 — 2026-03-19 bugfix
v1.42.3
Bug Fixes
Missing secondary evidence for .NET dependency in ghcr.io/open-telemetry/demo:2.0.0-accounting image [#4652 ]
Additional Changes
bump github.com/buger/jsonsparser to v1.1.2 [#4680 @willmurphyscode]
centralize temp files and prefer streaming IO [#4668 @willmurphyscode]
(Full Changelog)
v1.42.2 — 2026-03-09 bugfix
v1.42.2
Bug Fixes
[BUG] Incorrect Maven PURL generation: Automatic-Module-Name should not be used as Maven groupId [#4611 #4642 @xnox]
Checksum is 0 for spdx files [#2307 #4620 @ppalucha]
Support grafana binary various versions [#4559 #4635 @witchcraze]
Additional Changes
migrate fixtures to testdata [#4651 @wagoodman]
(Full Changelog)
v1.42.1 — 2026-02-18 security
v1.42.1
Bug Fixes
Use redhat as namespace for hummingbird rpms [#4615 @scoheb]
False Positive: Emacs snap package version CVE-2024-39331 [#4485 ]
Additional Changes
call cleanup on tmpfile and replace some io.ReadAlls with streams [#4629 @willmurphyscode]
bumps go mod version to 1.25; ci takes latest patch [#4628 @spiffcs]
(Full Changelog)
v1.42.0 — 2026-02-10 feature
v1.42.0
Added Features
Add support for scanning GGUF models from OCI registries [#4335 @spiffcs]
yarn lockfile scan doesnt catch dev dependencies [#4548 #4549 @rezmoss]
Additional Changes
CPE detection for APK libavif to use aomedia vendor [#4597 @naag]
(Full Changelog)
v1.41.2 — 2026-02-03 bugfix
v1.41.2
Bug Fixes
further improve go binary classifier, including windows [#4593 @kzantow]
Wrong format in license [#4233 #4588 @spiffcs]
Cannot detect installation of Qt6 [#4467 #4550 @rezmoss]
bug: Syft mis-identifies binary as deb inside a snap [#4486 #4500 @popey]
(Full Changelog)
v1.41.1 — 2026-01-29 bugfix
v1.41.1
Bug Fixes
[Bug Report] Missing some dependencies on cyclonedx formatted SBOM using syft [#4562 #4573 @spiffcs]
(Full Changelog)
v1.41.0 — 2026-01-27 bugfix
v1.41.0
Added Features
detect Debian version from /etc/debian_version [#4569 @kzantow]
Bug Fixes
correctly report supporting evidence for binary packages [#4558 @kzantow]
(Full Changelog)
v1.40.1 — 2026-01-15 bugfix
v1.40.1
[!Important]
This release bumps github.com/containerd/containerd to v2, which will cause compiler errors if used alongside other dependencies that use v1 of containerd. See https://github.com/anchore/stereoscope/pull/495 for a detailed discussion.
Bug Fixes
mongodb binary not detected manual/source install [#4540 #4541 @rezmoss]
(Full Changelog)
v1.40.0 — 2026-01-08 bugfix
v1.40.0
Added Features
Exclude development or test dependencies for PNPM Package type [#4430 #4487 @rezmoss]
Catalog istio binary (pilot-discovery, pilot-agent) [#4508 #4521 @witchcraze]
Catalog envoy binary [#4506 #4530 @witchcraze]
Catalog grafana binary [#4505 #4516 @witchcraze]
Add a binary classifier for valkey [#3400 #4509 @witchcraze]
Bug Fixes
old bitnami images without spdx files arent getting picked up correctly in the catalog [#4529 #4532 @rezmoss]
wrong traefik rc versions at binary detection [#3535 #4499 @rezmoss]
FromPOSIX() in internals\windows\path.go assumes that all Windows root paths must have a colon terminator [#4070 #4075 @luissantosHCIT]
binary cataloger is picking up the go version instead of the actual binary version in traefik experimental images [#4498 #4499 @rezmoss]
(Full Changelog)
v1.39.0 — 2025-12-22 bugfix
v1.39.0
Added Features
add support for Gemfile.next.lock [#4457 @HatiCode]
Command output to give more information on what catalogers look for and what they can find [#4155 #4317 @wagoodman]
Support reading lzma compressed .go.buildinfo sections with upx [#4411 #4480 @wagoodman]
Specify specific snap revision to pull [#4389 #4439 @VictorHuu]
Cannot detect embedded deps.json metadata in single-file .NET binaries [#4344 #4375 @rezmoss]
ELF note cataloger does not pick up OS field, but should [#4384 #4438 @VictorHuu]
Bug Fixes
remove debug print statement in dependency parser [#4412 @cgreeno]
dotnet-deps cataloger should skip project references with type "project" when building the sbom [#4423 #4436 @rezmoss]
File digests not computed when using --base-path [#4410 #4478 @wagoodman]
Syft should not define subpaths by default in PURLs [#4394 #4395 @rezmoss]
go: valid purl but incorrect name [#1737 #4395 @rezmoss]
Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) [#4316 #4395 @rezmoss]
Failing to convert npm repository information correctly to SPDX [#4362 #4390 @kendrickm]
(Full Changelog)
v1.38.2 — 2025-12-09 bugfix
v1.38.2
Bug Fixes
drop cpe from gguf [#4383 @spiffcs]
emit lua rockspec dependencies in metadata [#4376 @willmurphyscode]
Invalid SBOMs are created when GO replace directive is used [#4415 #4419 @VictorHuu]
Incorrect CPE for Vercel's Next js [#4443 #4450 @willmurphyscode]
v1.38.0 generates empty sbom for tgz sources [#4416 #4421 @VictorHuu]
Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file [#4401 #4408 @willmurphyscode]
(Full Changelog)
v1.38.0 — 2025-11-17 bugfix
v1.38.0
Added Features
add support for cataloging GGUF models [#4184 #4279 @spiffcs]
Support scanning a list of CPEs [#3890 #4207 @chovanecadam]
Syft does not detect Elixir binary on system [#4333 #4334 @rezmoss]
Bug Fixes
Support extras statements in Python PDM cataloger [#4352 @wagoodman]
Preserve --from argument order [#4350 @wagoodman]
SBOM generated by Syft 1.28 contains license elements missing id or name (causing CycloneDX parser error) [#4363 ]
empty PURL output in dependency snapshot format breaks sbom-action [#4311 ]
Interface includes constraint elements, can only be used in type parameters [#4346 ]
Upgrade github.com/nwaples/rardecode@v1.1.3 to 2.2.1 [#4338 ]
Upgrade to Golang 1.25.4 [#4341 ]
Additional Changes
migrate syft to use mholt/archives instead of anchore fork [#4029 @Rupikz]
Add license enrichment from pypi to python packages [#4295 @timols]
license file search [#4327 @kzantow]
(Full Changelog)
v1.37.0 — 2025-11-03 bugfix
v1.37.0
Added Features
Refactor fileresolver to not require base path [#4298 @Rupikz]
Describe cataloger capabilities via test observations [#4318 @wagoodman]
Support Java resource adapter extension .far as a Java archive [#4183 #4193 @kyounghunJang]
Add Java resource adapter extension ".rar" as supported Java archive [#4136 #4137 @thomassui]
Bug Fixes
fix empty PURL Github format [#4312 @rezmoss]
Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries [#4308 @kdt523]
Respect "rpmmod" PURL qualifier [#4314 @willmurphyscode]
fix dpkg packages that are in deinstalled state should not be in SBOM [#3063 #4231 @rkirk-nos]
(Full Changelog)
v1.36.0 — 2025-10-22 bugfix
v1.36.0
Added Features
Add the ability to fetch remote licenses for pnpm-lock.yaml files [#4286 @timols]
support universal (fat) mach-o binary files [#4278 @JoeyShapiro]
pdm support [#2709 #4234 @paulslaby]
Bug Fixes
Remove duplicate image source providers [#4289 @Rupikz]
syft can't extract go module information from executables on Windows [#4271 #4285 @JoeyShapiro]
(Full Changelog)
v1.34.2 — 2025-10-16 bugfix
v1.34.2
Bug Fixes
Extract zip archive with multiple entries [#4283 @Rupikz]
panic while resolving maven properties in archive parser [#4288 #4290 @kzantow]
(Full Changelog)
v1.34.1 — 2025-10-15 bugfix
v1.34.1
Added Features
feat: enhance setup.py parser to handle unquoted dependencies [#4255 @HalaAli198]
feat: support for identifying ffmpeg/libav libraries [#4227 @popey]
feat: PNPM latest lockfile (version 9.0) [#3927 #4256 @bernardoamc]
Add Windows ARM64 releases [#4179 #4237 @compnerd]
Bug Fixes
fix: SBOM CPE mismatch for Qt5 causes Grype to miss CVE matches [#4036 #4093 @hawkaii]
fix: use of manifest files present in Snap packages when generating SBOMs [#4147 #4151 @popey]
fix: Pom xml only archive parser [#4272 @douglasclarke]
(Full Changelog)
v1.33.0 — 2025-09-15 feature
v1.33.0
Added Features
Modify RpmDBEntry to include modularityLabel for cyclonedx [#4212 @sfc-gh-rmaj]
Add locations onto packages read from Java native image SBOMs [#4186 @rudsberg]
(Full Changelog)
v1.32.0 — 2025-08-26 bugfix
v1.32.0
Added Features
Catalog entire build list for Go projects, not just packages listed in go.mod [#432 #4127 @spiffcs]
package.json authors keyword parsing [#2250 #4003 @popey]
Conda ecosystem support (basic) [#4002 @SimeonStoykovQC]
Bug Fixes
When scanning the FFmpeg binary with Syft a new package is now added [#3988 #3994 @popey]
Warn loudly if SQLite driver is not present when needed [#3234 #4150 @kzantow]
Additional Changes
Update dependencies to use go.yaml.in/yaml [#4157 @n-bes]
(Full Changelog)
v1.31.0 — 2025-08-13 bugfix
v1.31.0
Added Features
Option to set PackageSupplier in root of SPDX document generated by CLI [#3098 #4131 @spiffcs]
Bug Fixes
closed reader during java binary detection [#4129 @kzantow]
support multiple letters in openssl patch version [#4106 @honigbot]
Can not have license ID [#1964 #4132 @spiffcs]
Syft sometimes reports URL for license value when scanning JARs with a URL in Bundle-License field of manifest [#3186 ]
(Full Changelog)
v1.30.0 — 2025-08-08 bugfix
v1.30.0
Added Features
add binary classifier for hashicorp vault [#4121 @willmurphyscode]
Bug Fixes
fix: update nondeterministic Java archive cataloging and improve groupID [#3521 #4118 @kzantow]
(Full Changelog)
v1.29.1 — 2025-07-30 bugfix
v1.29.1
Bug Fixes
Missing license information for tzdata [#4102 ]
Improve JVM Scan Accuracy for JDK and JRE Detection [#4071 #4046 @kzantow]
Azul JDK classified as Oracle JRE [#3893 #4046 @kzantow]
(Full Changelog)
v1.29.0 — 2025-07-21 feature
v1.29.0
Added Features
Catalog python uv.lock files [#3268 #3763 @jkugler]
Additional Changes
Pkg Metadata type unmarshal bug [#4043 @houdini91]
(Full Changelog)
v1.28.0 — 2025-07-02 feature
v1.28.0
Added Features
add native support for snap packages [#1088 #3929 @wagoodman]
Additional Changes
upgrade tablewriter dependency to use new API [#3990 @cpanato]
(Full Changelog)
v1.27.1 — 2025-06-12 bugfix
v1.27.1
Bug Fixes
Allow decoding of enterprise-modified anchorectl json files [#3997 @wagoodman]
Allow decoding of anchorectl json files [#3973 @wagoodman]
Additional Changes
provide separate nonroot image [#3998 @kzantow]
(Full Changelog)
v1.27.0 — 2025-06-09 bugfix
v1.27.0
Added Features
add syft schema version to version command [#3949 @spiffcs]
Bug Fixes
Remove CPE product candidates for phf, prometheus, hyper and Rust crates [#3967 @jayvdb]
Remove CPE product candidates for opentelemetry and redis Rust crates [#3962 @jayvdb]
Harden Container Runtime with Non-Root User [#3941 @MikeTheCyberGuy]
terraform provider lock entries should not require constraints [#3934 @ghouscht]
sbom cataloger returning upstream package [#3662 #3981 @kzantow]
Syft missing md5 sums and list data for dpkg packages under status.d/ [#3912 ]
Failure to detect dependency relationships between Python packages [#3958 #3965 @christoph-blessing]
Heavy memory consumption when directory scanning deb source [#3928 #3953 @kzantow]
In versions 1.25.0 and later, graalvm-native-image-cataloger adds 3-6 hours to Syft [#3942 #3944 @kzantow]
Syft incorrectly reports multiple APKs as parents of symlinked files [#3847 #3923 @luhring]
(Full Changelog)
A HUGE thank you to @rezmoss for his help identifying and solving an issue causing excessive time and memory consumption with large numbers of symlinks! ❤️
v1.26.1 — 2025-05-22 bugfix
v1.26.1
Bug Fixes
Dotnet deps binary cataloger hangs [#3919 #3930 @kzantow]
(Full Changelog)
v1.26.0 — 2025-05-20 bugfix
v1.26.0
Added Features
Read version resources from non-.NET DLLs and executables [#3842 #3911 @wagoodman]
Bug Fixes
pkg.JavaArchive.PomProperties is being populated even though no pom.properties file was present for analysis [#3922 @wagoodman]
syft 1.24.0 debug container - wget fails TLS [#3891 #3915 @spiffcs]
(Full Changelog)
2026-07-10 22:23 UTC 時点の情報