Output Formats
Choose from multiple SBOM output formats including SPDX, CycloneDX, and Syft’s native JSON format.
TL;DR
- Choose a format with
-o <format>:table(default)json(complete data)spdx-json/spdx-tag-valuecyclonedx-json/cyclonedx-xml
- Write to file:
-o json=sbom.json - Generate multiple formats at once: use multiple
-oflags
Syft supports multiple output formats to fit different workflows and requirements by using the -o (or --output) flag:
syft <image> -o <format>
Available formats
-o ARG | Description |
|---|---|
table | A columnar summary (default) |
json | Native output for Syft—use this to get as much information out of Syft as possible! (see the JSON schema) |
purls | A line-separated list of Package URLs (PURLs) for all discovered packages |
github-json | A JSON report conforming to GitHub’s dependency snapshot format |
template | Lets you specify a custom output format via Go templates (see Templates for more detail) |
text | A row-oriented, human-and-machine-friendly output |
CycloneDX
CycloneDX is an OWASP-maintained industry standard SBOM format.
-o ARG | Description |
|---|---|
cyclonedx-json | A JSON report conforming to the CycloneDX specification |
cyclonedx-xml | An XML report conforming to the CycloneDX specification |
SPDX
SPDX (Software Package Data Exchange) is an ISO/IEC 5962:2021 industry standard SBOM format.
-o ARG | Description |
|---|---|
spdx-json | A JSON report conforming to the SPDX JSON Schema |
spdx-tag-value | A tag-value formatted report conforming to the SPDX specification |
Format versions
Some output formats support multiple schema versions. Specify a version by appending @<version> to the format name:
syft <source> -o <format>@<version>
Examples:
# Use CycloneDX JSON version 1.4
syft <source> -o cyclonedx-json@1.4
# Use SPDX JSON version 2.2
syft <source> -o spdx-json@2.2
# Default to latest version if not specified
syft <source> -o cyclonedx-json
Formats with version support:
- cyclonedx-json:
1.2,1.3,1.4,1.5,1.6 - cyclonedx-xml:
1.0,1.1,1.2,1.3,1.4,1.5,1.6 - spdx-json:
2.2,2.3 - spdx-tag-value:
2.1,2.2,2.3
When no version is specified, Syft uses the latest supported version of the format.
Format examples
NAME VERSION TYPE
busybox 1.37.0 binary
{
"artifacts": [
{
"id": "b902c455ac608569",
"name": "busybox",
"version": "1.37.0",
"type": "binary",
"foundBy": "binary-classifier-cataloger",
"locations": [
{
"path": "/bin/[",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927",
"accessPath": "/bin/busybox",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "",
"cpes": [
{
"cpe": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*",
"source": "nvd-cpe-dictionary"
}
],
"purl": "pkg:generic/busybox@1.37.0",
"metadataType": "binary-signature",
"metadata": {
"matches": [
{
"classifier": "busybox-binary",
"location": {
"path": "/bin/[",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927",
"accessPath": "/bin/busybox",
"annotations": {
"evidence": "primary"
}
}
}
]
}
}
],
"artifactRelationships": [
{
"parent": "b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65",
"child": "b902c455ac608569",
"type": "contains"
},
{
"parent": "b902c455ac608569",
"child": "569d4a1b976fac79",
"type": "evident-by",
"metadata": {
"kind": "primary"
}
}
],
"files": [
{
"id": "569d4a1b976fac79",
"location": {
"path": "/bin/[",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"metadata": {
"mode": 755,
"type": "RegularFile",
"userID": 0,
"groupID": 0,
"mimeType": "application/x-sharedlib",
"size": 1017416
},
"digests": [
{
"algorithm": "sha1",
"value": "8dd52ce79dfc02f4af697c25783fbf34e334fd97"
},
{
"algorithm": "sha256",
"value": "786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451"
}
],
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["libm.so.6", "libresolv.so.2", "libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "partial",
"pie": true,
"dso": true,
"safeStack": false
}
}
},
{
"id": "8ded473355030b29",
"location": {
"path": "/bin/getconf",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": true,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "7cb3ec0980b305ea",
"location": {
"path": "/lib/ld-linux-x86-64.so.2",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": [],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "721fdb92ef105572",
"location": {
"path": "/lib/libc.so.6",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["ld-linux-x86-64.so.2"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "78daafc7b39b7f14",
"location": {
"path": "/lib/libm.so.6",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6", "ld-linux-x86-64.so.2"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "1a1b10daf314c367",
"location": {
"path": "/lib/libnss_compat.so.2",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "b13fe055c85111aa",
"location": {
"path": "/lib/libnss_dns.so.2",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "20e1607c1af76f1c",
"location": {
"path": "/lib/libnss_files.so.2",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "60b37632c882b7b5",
"location": {
"path": "/lib/libnss_hesiod.so.2",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libresolv.so.2", "libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "3b2c5f079a592915",
"location": {
"path": "/lib/libpthread.so.0",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "d83b2e68ea6e74d7",
"location": {
"path": "/lib/libresolv.so.2",
"layerID": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
}
],
"source": {
"id": "b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65",
"name": "busybox",
"version": "sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65",
"type": "image",
"metadata": {
"userInput": "busybox:latest",
"imageID": "sha256:925ff61909aebae4bcc9bc04bb96a8bd15cd2271f13159fe95ce4338824531dd",
"manifestDigest": "sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"tags": [],
"imageSize": 4421246,
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927",
"size": 4421246
}
],
"manifest": "ewoJInNjaGVtYVZlcnNpb24iOiAyLAoJIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLm1hbmlmZXN0LnYxK2pzb24iLAoJImNvbmZpZyI6IHsKCQkibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UuY29uZmlnLnYxK2pzb24iLAoJCSJkaWdlc3QiOiAic2hhMjU2OjkyNWZmNjE5MDlhZWJhZTRiY2M5YmMwNGJiOTZhOGJkMTVjZDIyNzFmMTMxNTlmZTk1Y2U0MzM4ODI0NTMxZGQiLAoJCSJzaXplIjogNDU5Cgl9LAoJImxheWVycyI6IFsKCQl7CgkJCSJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCgkJCSJkaWdlc3QiOiAic2hhMjU2OjQ4MTI4MmFmYmM0MzA0ZmZlZTQ3OTIyNThlYTExNGYwOWU0MjNhNGEwODIzMzViMzA2OTViNTAzMTAzOTRmNDciLAoJCQkic2l6ZSI6IDIyMTEzOTgKCQl9CgldLAoJImFubm90YXRpb25zIjogewoJCSJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudXJsIjogImh0dHBzOi8vZ2l0aHViLmNvbS9kb2NrZXItbGlicmFyeS9idXN5Ym94IiwKCQkib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlcnNpb24iOiAiMS4zNy4wLWdsaWJjIgoJfQp9Cg==",
"config": "ewoJImNvbmZpZyI6IHsKCQkiQ21kIjogWwoJCQkic2giCgkJXSwKCQkiRW52IjogWwoJCQkiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iCgkJXQoJfSwKCSJjcmVhdGVkIjogIjIwMjQtMDktMjZUMjE6MzE6NDJaIiwKCSJoaXN0b3J5IjogWwoJCXsKCQkJImNyZWF0ZWQiOiAiMjAyNC0wOS0yNlQyMTozMTo0MloiLAoJCQkiY3JlYXRlZF9ieSI6ICJCdXN5Qm94IDEuMzcuMCAoZ2xpYmMpLCBEZWJpYW4gMTMiCgkJfQoJXSwKCSJyb290ZnMiOiB7CgkJInR5cGUiOiAibGF5ZXJzIiwKCQkiZGlmZl9pZHMiOiBbCgkJCSJzaGEyNTY6N2Y3NGNhNzI4NTU2Njg0NTNmYzQyMDdjMWU1YzUwYmI1NjUzZTcyYmI5OTM5ZWIxZDU1MTJjMDAxNjI0ZTkyNyIKCQldCgl9LAoJImFyY2hpdGVjdHVyZSI6ICJhbWQ2NCIsCgkib3MiOiAibGludXgiCn0K",
"repoDigests": [
"index.docker.io/library/busybox@sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e"
],
"architecture": "amd64",
"os": "linux"
}
},
"distro": {
"prettyName": "BusyBox v1.37.0",
"name": "busybox",
"id": "busybox",
"idLike": ["busybox"],
"version": "1.37.0",
"versionID": "1.37.0"
},
"descriptor": {
"name": "syft",
"version": "1.42.3",
"configuration": {
"catalogers": {
"requested": {
"default": ["image", "file"]
},
"used": [
"alpm-db-cataloger",
"apk-db-cataloger",
"binary-classifier-cataloger",
"bitnami-cataloger",
"cargo-auditable-binary-cataloger",
"conan-info-cataloger",
"dotnet-deps-binary-cataloger",
"dotnet-packages-lock-cataloger",
"dpkg-db-cataloger",
"elf-binary-package-cataloger",
"file-content-cataloger",
"file-digest-cataloger",
"file-executable-cataloger",
"file-metadata-cataloger",
"gguf-cataloger",
"go-module-binary-cataloger",
"graalvm-native-image-cataloger",
"homebrew-cataloger",
"java-archive-cataloger",
"java-jvm-cataloger",
"javascript-package-cataloger",
"linux-kernel-cataloger",
"lua-rock-cataloger",
"nix-cataloger",
"pe-binary-package-cataloger",
"php-composer-installed-cataloger",
"php-interpreter-cataloger",
"php-pear-serialized-cataloger",
"portage-cataloger",
"python-installed-package-cataloger",
"r-package-cataloger",
"rpm-db-cataloger",
"ruby-installed-gemspec-cataloger",
"snap-cataloger",
"wordpress-plugins-cataloger"
]
},
"data-generation": {
"generate-cpes": true
},
"files": {
"content": {
"globs": null,
"skip-files-above-size": 0
},
"hashers": ["sha-1", "sha-256"],
"selection": "owned-by-package"
},
"licenses": {
"coverage": 75,
"include-content": "none"
},
"packages": {
"binary": [
"python-binary",
"python-binary-lib",
"pypy-binary-lib",
"go-binary",
"julia-binary",
"helm",
"redis-binary",
"valkey-binary",
"nodejs-binary",
"busybox-binary",
"util-linux-binary",
"haproxy-binary",
"perl-binary",
"php-composer-binary",
"httpd-binary",
"memcached-binary",
"traefik-binary",
"arangodb-binary",
"postgresql-binary",
"mysql-binary",
"mysql-binary",
"mysql-binary",
"xtrabackup-binary",
"mariadb-binary",
"rust-standard-library-linux",
"rust-standard-library-macos",
"ruby-binary",
"erlang-binary",
"erlang-alpine-binary",
"erlang-library",
"swipl-binary",
"dart-binary",
"haskell-ghc-binary",
"haskell-cabal-binary",
"haskell-stack-binary",
"consul-binary",
"hashicorp-vault-binary",
"nginx-binary",
"bash-binary",
"openssl-binary",
"qt-qtbase-lib",
"gcc-binary",
"fluent-bit-binary",
"wordpress-cli-binary",
"curl-binary",
"lighttpd-binary",
"proftpd-binary",
"zstd-binary",
"xz-binary",
"gzip-binary",
"sqlcipher-binary",
"jq-binary",
"chrome-binary",
"ffmpeg-binary",
"ffmpeg-library",
"ffmpeg-library",
"elixir-binary",
"elixir-library",
"istio-binary",
"istio-binary",
"grafana-binary",
"grafana-binary",
"envoy-binary",
"mongodb-binary",
"java-binary",
"java-jdb-binary"
],
"dotnet": {
"dep-packages-must-claim-dll": true,
"dep-packages-must-have-dll": false,
"exclude-project-references": true,
"propagate-dll-claims-to-parents": true,
"relax-dll-claims-when-bundling-detected": true
},
"golang": {
"local-mod-cache-dir": "/root/go/pkg/mod",
"local-vendor-dir": "",
"main-module-version": {
"from-build-settings": true,
"from-contents": false,
"from-ld-flags": true
},
"proxies": ["https://proxy.golang.org", "direct"],
"search-local-mod-cache-licenses": false,
"search-local-vendor-licenses": false,
"search-remote-licenses": false,
"use-packages-lib": true
},
"java-archive": {
"include-indexed-archives": true,
"include-unindexed-archives": false,
"maven-base-url": "https://repo1.maven.org/maven2",
"maven-localrepository-dir": "/root/.m2/repository",
"max-parent-recursive-depth": 0,
"resolve-transitive-dependencies": false,
"use-maven-localrepository": false,
"use-network": false
},
"javascript": {
"include-dev-dependencies": false,
"npm-base-url": "https://registry.npmjs.org",
"search-remote-licenses": false
},
"linux-kernel": {
"catalog-modules": true
},
"nix": {
"capture-owned-files": false
},
"python": {
"guess-unpinned-requirements": false,
"pypi-base-url": "https://pypi.org/pypi",
"search-remote-licenses": false
}
},
"relationships": {
"exclude-binary-packages-with-file-ownership-overlap": true,
"package-file-ownership": true,
"package-file-ownership-overlap": true
},
"search": {
"scope": "squashed"
}
}
},
"schema": {
"version": "16.1.3",
"url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.1.3.json"
}
}
pkg:generic/busybox@1.37.0
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:80b663b2-9c5b-4a04-a5aa-94b6dbe6630f",
"version": 1,
"metadata": {
"timestamp": "2026-04-01T03:01:06Z",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.42.3"
}
]
},
"component": {
"bom-ref": "5caaed5da0f8b401",
"type": "container",
"name": "busybox",
"version": "sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65"
}
},
"components": [
{
"bom-ref": "pkg:generic/busybox@1.37.0?package-id=b902c455ac608569",
"type": "application",
"name": "busybox",
"version": "1.37.0",
"cpe": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*",
"purl": "pkg:generic/busybox@1.37.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "binary-classifier-cataloger"
},
{
"name": "syft:package:type",
"value": "binary"
},
{
"name": "syft:package:metadataType",
"value": "binary-signature"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"name": "syft:location:0:path",
"value": "/bin/["
}
]
},
{
"bom-ref": "os:busybox@1.37.0",
"type": "operating-system",
"name": "busybox",
"version": "1.37.0",
"description": "BusyBox v1.37.0",
"swid": {
"tagId": "busybox",
"name": "busybox",
"version": "1.37.0"
},
"properties": [
{
"name": "syft:distro:extendedSupport",
"value": "false"
},
{
"name": "syft:distro:id",
"value": "busybox"
},
{
"name": "syft:distro:idLike:0",
"value": "busybox"
},
{
"name": "syft:distro:prettyName",
"value": "BusyBox v1.37.0"
},
{
"name": "syft:distro:versionID",
"value": "1.37.0"
}
]
},
{
"bom-ref": "569d4a1b976fac79",
"type": "file",
"name": "/bin/[",
"hashes": [
{
"alg": "SHA-1",
"content": "8dd52ce79dfc02f4af697c25783fbf34e334fd97"
},
{
"alg": "SHA-256",
"content": "786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451"
}
]
}
]
}
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:086f0797-f49f-496e-9a2e-53df5f71618d" version="1">
<metadata>
<timestamp>2026-04-01T03:01:07Z</timestamp>
<tools>
<components>
<component type="application">
<author>anchore</author>
<name>syft</name>
<version>1.42.3</version>
</component>
</components>
</tools>
<component bom-ref="5caaed5da0f8b401" type="container">
<name>busybox</name>
<version>sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65</version>
</component>
</metadata>
<components>
<component bom-ref="pkg:generic/busybox@1.37.0?package-id=b902c455ac608569" type="application">
<name>busybox</name>
<version>1.37.0</version>
<cpe>cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*</cpe>
<purl>pkg:generic/busybox@1.37.0</purl>
<properties>
<property name="syft:package:foundBy">binary-classifier-cataloger</property>
<property name="syft:package:type">binary</property>
<property name="syft:package:metadataType">binary-signature</property>
<property name="syft:location:0:layerID">sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927</property>
<property name="syft:location:0:path">/bin/[</property>
</properties>
</component>
<component bom-ref="os:busybox@1.37.0" type="operating-system">
<name>busybox</name>
<version>1.37.0</version>
<description>BusyBox v1.37.0</description>
<swid tagId="busybox" name="busybox" version="1.37.0"></swid>
<properties>
<property name="syft:distro:extendedSupport">false</property>
<property name="syft:distro:id">busybox</property>
<property name="syft:distro:idLike:0">busybox</property>
<property name="syft:distro:prettyName">BusyBox v1.37.0</property>
<property name="syft:distro:versionID">1.37.0</property>
</properties>
</component>
<component bom-ref="569d4a1b976fac79" type="file">
<name>/bin/[</name>
<hashes>
<hash alg="SHA-1">8dd52ce79dfc02f4af697c25783fbf34e334fd97</hash>
<hash alg="SHA-256">786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451</hash>
</hashes>
</component>
</components>
</bom>
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "busybox",
"documentNamespace": "https://anchore.com/syft/image/busybox-cda8cc96-80dd-4c82-ba9c-6b8bd6e6152d",
"creationInfo": {
"licenseListVersion": "3.28",
"creators": ["Organization: Anchore, Inc", "Tool: syft-1.42.3"],
"created": "2026-04-01T03:01:07Z"
},
"packages": [
{
"name": "busybox",
"SPDXID": "SPDXRef-Package-binary-busybox-b902c455ac608569",
"versionInfo": "1.37.0",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from the following paths: /bin/[",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:generic/busybox@1.37.0"
}
]
},
{
"name": "busybox",
"SPDXID": "SPDXRef-DocumentRoot-Image-busybox",
"versionInfo": "sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/busybox@sha256%3Ab8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65?arch=amd64&tag=latest"
}
],
"primaryPackagePurpose": "CONTAINER"
}
],
"files": [
{
"fileName": "bin/[",
"SPDXID": "SPDXRef-File-bin---569d4a1b976fac79",
"fileTypes": ["APPLICATION", "BINARY"],
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "8dd52ce79dfc02f4af697c25783fbf34e334fd97"
},
{
"algorithm": "SHA256",
"checksumValue": "786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "bin/getconf",
"SPDXID": "SPDXRef-File-bin-getconf-8ded473355030b29",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/ld-linux-x86-64.so.2",
"SPDXID": "SPDXRef-File-lib-ld-linux-x86-64.so.2-7cb3ec0980b305ea",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libc.so.6",
"SPDXID": "SPDXRef-File-lib-libc.so.6-721fdb92ef105572",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libm.so.6",
"SPDXID": "SPDXRef-File-lib-libm.so.6-78daafc7b39b7f14",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libnss_compat.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-compat.so.2-1a1b10daf314c367",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libnss_dns.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-dns.so.2-b13fe055c85111aa",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libnss_files.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-files.so.2-20e1607c1af76f1c",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libnss_hesiod.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-hesiod.so.2-60b37632c882b7b5",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libpthread.so.0",
"SPDXID": "SPDXRef-File-lib-libpthread.so.0-3b2c5f079a592915",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
{
"fileName": "lib/libresolv.so.2",
"SPDXID": "SPDXRef-File-lib-libresolv.so.2-d83b2e68ea6e74d7",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-Package-binary-busybox-b902c455ac608569",
"relatedSpdxElement": "SPDXRef-File-bin---569d4a1b976fac79",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Image-busybox",
"relatedSpdxElement": "SPDXRef-Package-binary-busybox-b902c455ac608569",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-Image-busybox",
"relationshipType": "DESCRIBES"
}
]
}
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: busybox
DocumentNamespace: https://anchore.com/syft/image/busybox-a646e211-1b04-44d4-9a4b-e404c1efd937
LicenseListVersion: 3.28
Creator: Organization: Anchore, Inc
Creator: Tool: syft-1.42.3
Created: 2026-04-01T03:01:08Z
##### Unpackaged files
FileName: bin/[
SPDXID: SPDXRef-File-bin---569d4a1b976fac79
FileType: APPLICATION
FileType: BINARY
FileChecksum: SHA1: 8dd52ce79dfc02f4af697c25783fbf34e334fd97
FileChecksum: SHA256: 786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: bin/getconf
SPDXID: SPDXRef-File-bin-getconf-8ded473355030b29
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/ld-linux-x86-64.so.2
SPDXID: SPDXRef-File-lib-ld-linux-x86-64.so.2-7cb3ec0980b305ea
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libc.so.6
SPDXID: SPDXRef-File-lib-libc.so.6-721fdb92ef105572
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libm.so.6
SPDXID: SPDXRef-File-lib-libm.so.6-78daafc7b39b7f14
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libnss_compat.so.2
SPDXID: SPDXRef-File-lib-libnss-compat.so.2-1a1b10daf314c367
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libnss_dns.so.2
SPDXID: SPDXRef-File-lib-libnss-dns.so.2-b13fe055c85111aa
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libnss_files.so.2
SPDXID: SPDXRef-File-lib-libnss-files.so.2-20e1607c1af76f1c
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libnss_hesiod.so.2
SPDXID: SPDXRef-File-lib-libnss-hesiod.so.2-60b37632c882b7b5
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libpthread.so.0
SPDXID: SPDXRef-File-lib-libpthread.so.0-3b2c5f079a592915
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
FileName: lib/libresolv.so.2
SPDXID: SPDXRef-File-lib-libresolv.so.2-d83b2e68ea6e74d7
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-DocumentRoot-Image-busybox
PackageVersion: sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
PrimaryPackagePurpose: CONTAINER
FilesAnalyzed: false
PackageChecksum: SHA256: b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:oci/busybox@sha256%3Ab8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65?arch=amd64&tag=latest
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-Package-binary-busybox-b902c455ac608569
PackageVersion: 1.37.0
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from the following paths: /bin/[
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:generic/busybox@1.37.0
##### Relationships
Relationship: SPDXRef-Package-binary-busybox-b902c455ac608569 OTHER SPDXRef-File-bin---569d4a1b976fac79
RelationshipComment: evident-by: indicates the package's existence is evident by the given file
Relationship: SPDXRef-DocumentRoot-Image-busybox CONTAINS SPDXRef-Package-binary-busybox-b902c455ac608569
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Image-busybox
{
"version": 0,
"job": {},
"detector": {
"name": "syft",
"url": "https://github.com/anchore/syft",
"version": "1.42.3"
},
"metadata": {
"syft:distro": "pkg:generic/busybox@1.37.0?like=busybox"
},
"manifests": {
"busybox:latest:/bin/busybox": {
"name": "busybox:latest:/bin/busybox",
"file": {
"source_location": "busybox:latest:/bin/busybox"
},
"metadata": {
"syft:filesystem": "sha256:7f74ca72855668453fc4207c1e5c50bb5653e72bb9939eb1d5512c001624e927"
},
"resolved": {
"pkg:generic/busybox@1.37.0": {
"package_url": "pkg:generic/busybox@1.37.0",
"relationship": "direct",
"scope": "runtime"
}
}
}
},
"scanned": "2026-04-01T03:01:09Z"
}
Writing output to files
Direct Syft output to a file instead of stdout by appending =<file> to the format option:
# Write JSON to a file
syft <source> -o json=sbom.json
# Write to stdout (default behavior)
syft <source> -o json
Multiple outputs
Generate multiple SBOM formats in a single run by specifying multiple -o flags:
syft <source> \
-o json=sbom.json \
-o spdx-json=sbom.spdx.json
You can both display to terminal and write to file:
syft <source> \
-o table \ # report to stdout
-o json=sbom.json # write to file
FAQ
Which format should I use?
- For human review: Use
table(default) for quick package lists - For automation and queries: Use
jsonto access all Syft data including file details, relationships, and metadata - For compliance and sharing: Use
spdx-jsonorcyclonedx-json- both are widely supported industry standards - For custom formats: Use
templateto create your own output format
Can I convert between formats?
Yes! See the Format Conversion guide to convert existing SBOMs between formats without re-scanning.
Do all formats contain the same information?
No. Syft’s native json format contains the most complete information. Standard formats (SPDX, CycloneDX) contain package data but may not include all file details or Syft-specific metadata. Some data may be omitted or transformed to fit the target schema.
Which version should I use for SPDX or CycloneDX?
Use the latest version (default) unless you need compatibility with specific tools that require older versions. Check your downstream tools’ documentation for version requirements.
Next steps
Continue the guide
Next: Explore Working with Syft JSON to learn how to query and extract specific data from Syft’s native format using jq.Additional resources:
- Custom formats: Learn about customizing output with templates for specialized formats
- Convert formats: See Format Conversion to convert between different SBOM formats
- Advanced settings: Check configuration options for format-specific settings