Generate CycloneDX and SPDX SBOMs with Syft and upload to Vulnetix for dependency tracking and vulnerability analysis.
Install & scan
$ go install github.com/anchore/syft/cmd/syft@latest $ syft scan dir:. -o cyclonedx-json=bom.cdx.json
Run Anchore Syft in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Syft
run: |
curl -sSfL https://get.anchore.io/syft | sh -s -- -b /usr/local/bin
- name: Generate SBOM
run: syft scan dir:. -o cyclonedx-json=bom.cdx.json
- name: Upload to Vulnetix
run: vulnetix upload --file bom.cdx.json
How Vulnetix compares — better together
Vulnetix does not replace Anchore Syft. Keep running it. Vulnetix sits on top of Anchore Syft — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Anchore Syft is strongest at its core category and also carries features in SCA, Container & Image Scanning, License Compliance — just like Vulnetix spans categories.
| Capability | Vulnetix | Anchore Syft |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ~ Enumerates packages/versions but does not itself match CVEs (Grype does) |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✓ Inspects OCI/Docker/Singularity image layers to discover packages |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ~ Records per-package license data in the SBOM; policy enforcement is external (e.g. Grant) |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✓ Core: generates CycloneDX + SPDX (and Syft JSON) SBOMs |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Anchore Syft does well
- Best-in-class SBOM generation from container images, filesystems and archives across dozens of packaging ecosystems (apk, dpkg, RPM, Go, Python, Java, npm, Ruby, Rust, PHP, .NET, and more)
- Outputs multiple formats (CycloneDX, SPDX, Syft JSON) and converts between them, fitting almost any downstream toolchain
- Captures license data per package and supports signed in-toto SBOM attestations for supply-chain provenance
- Clean separation of concerns: catalogue once with Syft, then feed Grype (or other scanners) — a widely adopted, Apache-2.0 building block
Where Vulnetix adds to it: Syft is a pure SBOM cataloguer with no vulnerability, prioritisation or remediation layer — exactly the input Vulnetix consumes. Vulnetix ingests Syft-generated CycloneDX/SPDX SBOMs and turns them into a governed program: cross-scanner dedup into one queue, exploit-intel prioritisation (EPSS/KEV/ESS/CWSS/LEV), reachability, immutable versioned VEX + audit, license and EOL policy, SSVC, and Safe Harbour autofix. Vulnetix also generates its own CycloneDX 1.7 + SPDX 2.3 SBOMs, so Syft output slots in as one source among many rather than the whole story.
No migration, no rip-and-replace. Anchore Syft keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Anchore Syft results in Vulnetix
Upload Anchore Syft CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.