sbom-syft

The sbom-syft skill enables AI coding agents to generate comprehensive Software Bills of Materials (SBOM) for container images, archives, and local filesystems. By leveraging the industry-standard Syft CLI, this tool provides deep visibility into your software composition, ensuring that every package, dependency, and library is tracked across more than 28 ecosystems, including Go, Python, Java, JavaScript, and native Linux distributions. It is an essential component for developers, DevSecOps engineers, and security auditors who need to maintain accurate inventory for vulnerability management and supply chain transparency.

• Automatically catalog package dependencies from container layers, source code directories, and binary archives.

• Support for industry-standard output formats including CycloneDX (JSON/XML), SPDX (JSON/Tag-Value), and native syft-json for detailed analysis.

• Enable cryptographically signed SBOM attestations using cosign for robust software provenance verification.

• Seamless integration with vulnerability scanners like Grype to correlate SBOM data with known CVEs and security risks.

• Support for complex environments, including multi-architecture container images and nested dependency trees.

• Use this skill to initialize security transparency in CI/CD pipelines by generating build-time SBOM artifacts.

• Ensure license compliance by auditing third-party dependencies detected during the scanning process.

• Combine with vulnerability management workflows to prioritize remediation efforts based on package metadata and dependency depth.

• Configure advanced scanning behavior via .syft.yaml to include or exclude specific paths, manage registry authentication, or adjust cataloging scope.

• Ideal for projects requiring compliance with federal or industry standards like NIST or OWASP for software supply chain security.