Tool integration

Anchore Syft Integration Guide

SBOM generator for container images and filesystems

Get a Free API Key

Generate CycloneDX and SPDX SBOMs with Syft and upload to Vulnetix for dependency tracking and vulnerability analysis.

CLI toolCycloneDXSPDX

Install & scan

$ go install github.com/anchore/syft/cmd/syft@latest
$ syft scan dir:. -o cyclonedx-json=bom.cdx.json

Run Anchore Syft in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Syft
  run: |
    curl -sSfL https://get.anchore.io/syft | sh -s -- -b /usr/local/bin
- name: Generate SBOM
  run: syft scan dir:. -o cyclonedx-json=bom.cdx.json
- name: Upload to Vulnetix
  run: vulnetix upload --file bom.cdx.json

How Vulnetix compares — better together

Vulnetix does not replace Anchore Syft. Keep running it. Vulnetix sits on top of Anchore Syft — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Anchore Syft is strongest at its core category and also carries features in SCA, Container & Image Scanning, License Compliance — just like Vulnetix spans categories.

CapabilityVulnetixAnchore Syft
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph~ Enumerates packages/versions but does not itself match CVEs (Grype does)
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, DockerfileInspects OCI/Docker/Singularity image layers to discover packages
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy~ Records per-package license data in the SBOM; policy enforcement is external (e.g. Grant)
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signableCore: generates CycloneDX + SPDX (and Syft JSON) SBOMs
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Anchore Syft does well

Where Vulnetix adds to it: Syft is a pure SBOM cataloguer with no vulnerability, prioritisation or remediation layer — exactly the input Vulnetix consumes. Vulnetix ingests Syft-generated CycloneDX/SPDX SBOMs and turns them into a governed program: cross-scanner dedup into one queue, exploit-intel prioritisation (EPSS/KEV/ESS/CWSS/LEV), reachability, immutable versioned VEX + audit, license and EOL policy, SSVC, and Safe Harbour autofix. Vulnetix also generates its own CycloneDX 1.7 + SPDX 2.3 SBOMs, so Syft output slots in as one source among many rather than the whole story.

No migration, no rip-and-replace. Anchore Syft keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Anchore Syft results in Vulnetix

Upload Anchore Syft CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Anchore Syft documentation ↗  ·  Source repository ↗

Wire Anchore Syft into your CI/CD pipeline →