Skills / Engineering / Grype & Syft SBOM Scanner

Grype & Syft SBOM Scanner

Generate SBOMs and scan for known vulnerabilities with Anchore's Syft and Grype. Build accurate software bills of materials for container images and filesystems, scan them for CVEs, track dependency exposure over time, and enforce vulnerability policies in CI.

Syft produces detailed SBOMs (SPDX/CycloneDX) and Grype scans them for known vulnerabilities. This skill helps you generate SBOMs for images and source trees, scan for CVEs with configurable severity gates, ignore accepted findings, and integrate SBOM + vulnerability checks into your build pipeline for supply chain visibility.

security sbom supply-chain vulnerability-scanning containers

When to use

Use to generate SBOMs for container images or repos, scan them for CVEs, manage vulnerability exceptions, and enforce supply chain policies in CI.

Examples

Generate an SBOM

Inventory your dependencies

Use Syft to generate a CycloneDX SBOM for my container image and list every package it contains

Scan for CVEs

Find vulnerable dependencies

Scan my image with Grype and show only fixable HIGH and CRITICAL vulnerabilities

Supply chain gate in CI

Block vulnerable builds

Add Syft and Grype to my pipeline so builds fail on critical CVEs and attach the SBOM as an artifact
Added to wishlist