# Generate SBOMs with Syft

Software teams need reliable dependency inventories for images, archives, and application folders. This skill guides Syft SBOM generation, review, CI use, and follow-on vulnerability or license analysis.

## Install

```bash
npx skillstore add agentsecops/sbom-syft
```

## Metadata

- - Slug: agentsecops-sbom-syft
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/secsdlc/sbom-syft
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 50
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-sbom-syft
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-sbom-syft/manifest

## Capabilities

- Explains how to generate SBOMs for container images, local directories, OCI archives, and Docker archives.
- Compares CycloneDX, SPDX, Syft JSON, text, GitHub, and template output formats.
- Provides CI/CD examples for GitHub Actions, GitLab CI, and Jenkins SBOM workflows.
- Shows how to combine Syft SBOMs with Grype vulnerability scanning.
- Covers signed SBOM attestation workflows using cosign.
- Includes guidance for license extraction, package review, exclusions, and scan performance tuning.

## Use Cases

- Create release SBOMs: Generate CycloneDX or SPDX SBOM artifacts for each container image or application release.
- Review open source exposure: Use Syft output to inspect packages, licenses, and dependency changes before vulnerability triage.
- Add supply chain checks to CI: Integrate SBOM generation, artifact upload, and vulnerability scanning into build pipelines.

## Prompt Templates

### Generate a basic image SBOM

```
Use the sbom-syft skill to help me generate a CycloneDX SBOM for the container image IMAGE_NAME. Explain each command and output file.
```

### Scan a project directory

```
Use the sbom-syft skill to create an SBOM workflow for this project directory. Recommend a format and explain how to review detected packages.
```

### Design a CI SBOM workflow

```
Use the sbom-syft skill to design a CI workflow that generates an SBOM, uploads it as an artifact, and scans it for vulnerabilities.
```

### Plan signed SBOM attestations

```
Use the sbom-syft skill to plan a signed SBOM attestation process for production images, including format choice, storage, verification, and risk controls.
```

## Limitations

- Requires Syft, Docker, or related command line tools to be installed where scans run.
- Does not verify the correctness of every package detected by Syft.
- Does not provide a hosted SBOM storage or vulnerability management system.
- Example CI templates must be adapted and hardened before production use.

## Best Practices

- Generate SBOMs for every release image and store them with the release artifacts.
- Use CycloneDX or SPDX when downstream scanners, auditors, or customers need standard formats.
- Protect SBOMs because they can reveal internal package names, versions, and architecture details.

## Anti Patterns

- Do not copy sample registry credentials into a committed project configuration file.
- Do not install CI tools through unverified remote shell scripts in production pipelines.
- Do not treat SBOM generation alone as vulnerability remediation or license approval.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T06:14:47.669\+00:00
- - Summary: Static analysis reported many command, network, environment, filesystem, and script patterns. Review found no malicious intent or prompt injection; most findings are documentation examples or CI templates. Two template patterns remain risky if copied into production without hardening: remote script execution through curl to bash and plaintext registry credential examples.

## Stats

- - Views: 385
- - Downloads: 5
- - Favorites: 0
- - Popularity score: 0