No description
  • Go 62.7%
  • Dockerfile 17.7%
  • HCL 11.1%
  • Shell 6.5%
  • Makefile 2%
Find a file
2026-03-31 09:12:17 +02:00
.github fix zizmor findings 2026-03-30 14:59:02 +02:00
cmd Update to latest Syft 2024-12-10 11:19:19 +01:00
examples Adjust tests to new SPDX format 2024-12-11 09:29:17 +01:00
hack dockerfile: update go to 1.25 2025-12-15 15:43:22 +01:00
internal set file tag explicitly to suppress warning 2025-06-25 15:18:57 +02:00
vendor vendor: update syft to v1.40.0 2026-01-13 15:55:18 +01:00
version chore: set license headers 2022-11-24 15:56:15 +01:00
.gitignore tests: add sanity tests for examples 2023-04-05 16:09:14 +01:00
docker-bake.hcl ci: use git context 2025-01-08 14:21:08 +01:00
Dockerfile dockerfile: update go to 1.25 2025-12-15 15:43:22 +01:00
go.mod vendor: update syft to v1.40.0 2026-01-13 15:55:18 +01:00
go.sum vendor: update syft to v1.40.0 2026-01-13 15:55:18 +01:00
LICENSE chore: add apache license 2022-11-21 11:50:47 +00:00
Makefile ci: add checks for consistent vendoring 2023-06-20 11:47:04 +01:00
README.md tests: add sanity tests for examples 2023-04-05 16:09:14 +01:00

BuildKit Syft scanner

This repo packages the Syft scanner as a BuildKit SBOM generator to include scan results with the output of Docker builds.

The docker/buildkit-syft-scanner image implements the BuildKit SBOM scanner protocol defined here.

Usage

To scan an image during build with buildctl:

$ buildctl build ... \
    --output type=image,name=<image>,push=true \
    --opt attest:sbom=generator=docker/buildkit-syft-scanner

Development

buildkit-syft-scanner uses bake to build the project.

To setup a development environment by cloning the git repository:

$ git clone https://github.com/docker/buildkit-syft-scanner.git
$ cd buildkit-syft-scanner

It's recommended to setup an ephemeral local registry to push the development image to:

$ docker run -d -p 5000:5000 --rm --name registry registry:2

To build the development image, and push it to localhost:5000/buildkit-syft-scanner:dev:

$ make dev IMAGE=localhost:5000/buildkit-syft-scanner:dev 

To test the development image:

$ make examples IMAGE=localhost:5000/buildkit-syft-scanner:dev 

To scan an image during build with buildctl using the development image:

$ buildctl build ... \
    --output type=image,name=<image>,push=true \
    --opt attest:sbom=generator=localhost:5000/buildkit-syft-scanner:dev

Contributing

Want to contribute? Awesome!

buildkit-syft-scanner is mostly glue between BuildKit and Syft, so contributions will mostly likely belong in one of those projects. This project is intended to be as thin a compatibility layer as possible, so we have a strong preference for as little code here as possible.