Grype & Syft SBOM Scanner
Generate SBOMs and scan for known vulnerabilities with Anchore's Syft and Grype. Build accurate software bills of materials for container images and filesystems, scan them for CVEs, track dependency exposure over time, and enforce vulnerability policies in CI.
Syft produces detailed SBOMs (SPDX/CycloneDX) and Grype scans them for known vulnerabilities. This skill helps you generate SBOMs for images and source trees, scan for CVEs with configurable severity gates, ignore accepted findings, and integrate SBOM + vulnerability checks into your build pipeline for supply chain visibility.
When to use
Use to generate SBOMs for container images or repos, scan them for CVEs, manage vulnerability exceptions, and enforce supply chain policies in CI.
Examples
Generate an SBOM
Inventory your dependencies
Use Syft to generate a CycloneDX SBOM for my container image and list every package it contains
Scan for CVEs
Find vulnerable dependencies
Scan my image with Grype and show only fixable HIGH and CRITICAL vulnerabilities
Supply chain gate in CI
Block vulnerable builds
Add Syft and Grype to my pipeline so builds fail on critical CVEs and attach the SBOM as an artifact