Syft
Status
Section titled “Status”Version: 1.0.0 | Tests: Passing
{
"features": {
"ghcr.io/infrashift/trusted-devcontainer-features/syft:latest": {
"target_version": "1.42.0"
}
}
}Options
Section titled “Options”| Option | Type | Default | Description |
|---|---|---|---|
target_version | string | 1.42.0 | Select a supported Syft binary version |
target_checksum | string | "" | SHA256 checksum for the Syft binary |
Dependencies
Section titled “Dependencies”None — this feature is independent and has no dependencies.
How It Works
Section titled “How It Works”This feature downloads the Syft SBOM generator from Anchore’s GitHub releases. The Ansible playbook downloads the syft_<version>_linux_amd64.tar.gz tarball for the specified version and optionally verifies the SHA256 checksum. If no checksum is provided via the target_checksum option, the playbook downloads the checksums file from the release to perform verification. Once verified, the binary is extracted to ~/.local/bin.
After installation, the playbook verifies that Syft is working correctly by running syft version to confirm the installed version. Syft has no external dependencies, so this feature installs cleanly without a dependency chain.
Syft generates Software Bills of Materials (SBOMs) in CycloneDX, SPDX, and other standard formats from container images, filesystems, and archives. SBOMs are increasingly required for software supply chain security compliance, and having Syft available in your devcontainer allows you to generate and inspect SBOMs as part of your development workflow. Syft pairs well with the Grype feature, which uses Syft-generated SBOMs to scan for known vulnerabilities.