Output Formats
Choose from multiple SBOM output formats including SPDX, CycloneDX, and Syft’s native JSON format.
TL;DR
- Choose a format with
-o <format>:table(default)json(complete data)spdx-json/spdx-tag-valuecyclonedx-json/cyclonedx-xml
- Write to file:
-o json=sbom.json - Generate multiple formats at once: use multiple
-oflags
Syft supports multiple output formats to fit different workflows and requirements by using the -o (or --output) flag:
syft <image> -o <format>
Available formats
-o ARG | Description |
|---|---|
table | A columnar summary (default) |
json | Native output for Syft—use this to get as much information out of Syft as possible! (see the JSON schema) |
purls | A line-separated list of Package URLs (PURLs) for all discovered packages |
github-json | A JSON report conforming to GitHub’s dependency snapshot format |
template | Lets you specify a custom output format via Go templates (see Templates for more detail) |
text | A row-oriented, human-and-machine-friendly output |
CycloneDX
CycloneDX is an OWASP-maintained industry standard SBOM format.
-o ARG | Description |
|---|---|
cyclonedx-json | A JSON report conforming to the CycloneDX specification |
cyclonedx-xml | An XML report conforming to the CycloneDX specification |
SPDX
SPDX (Software Package Data Exchange) is an ISO/IEC 5962:2021 industry standard SBOM format.
-o ARG | Description |
|---|---|
spdx-json | A JSON report conforming to the SPDX JSON Schema |
spdx-tag-value | A tag-value formatted report conforming to the SPDX specification |
Format versions
Some output formats support multiple schema versions. Specify a version by appending @<version> to the format name:
syft <source> -o <format>@<version>
Examples:
# Use CycloneDX JSON version 1.4
syft <source> -o cyclonedx-json@1.4
# Use SPDX JSON version 2.2
syft <source> -o spdx-json@2.2
# Default to latest version if not specified
syft <source> -o cyclonedx-json
Formats with version support:
- cyclonedx-json:
1.2,1.3,1.4,1.5,1.6 - cyclonedx-xml:
1.0,1.1,1.2,1.3,1.4,1.5,1.6 - spdx-json:
2.2,2.3 - spdx-tag-value:
2.1,2.2,2.3
When no version is specified, Syft uses the latest supported version of the format.
Format examples
NAME VERSION TYPE
busybox 1.37.0 binary
{
"artifacts": [
{
"id": "4bab6ea0b54dbcb0",
"name": "busybox",
"version": "1.37.0",
"type": "binary",
"foundBy": "binary-classifier-cataloger",
"locations": [
{
"path": "/bin/[",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029",
"accessPath": "/bin/busybox",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "",
"cpes": [
{
"cpe": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*",
"source": "nvd-cpe-dictionary"
}
],
"purl": "pkg:generic/busybox@1.37.0",
"metadataType": "binary-signature",
"metadata": {
"matches": [
{
"classifier": "busybox-binary",
"location": {
"path": "/bin/[",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029",
"accessPath": "/bin/busybox",
"annotations": {
"evidence": "primary"
}
}
}
]
}
}
],
"artifactRelationships": [
{
"parent": "4bab6ea0b54dbcb0",
"child": "d314844960140844",
"type": "evident-by",
"metadata": {
"kind": "primary"
}
},
{
"parent": "70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6",
"child": "4bab6ea0b54dbcb0",
"type": "contains"
}
],
"files": [
{
"id": "d314844960140844",
"location": {
"path": "/bin/[",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"metadata": {
"mode": 755,
"type": "RegularFile",
"userID": 0,
"groupID": 0,
"mimeType": "application/x-sharedlib",
"size": 1017416
},
"digests": [
{
"algorithm": "sha1",
"value": "8dd52ce79dfc02f4af697c25783fbf34e334fd97"
},
{
"algorithm": "sha256",
"value": "786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451"
}
],
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["libm.so.6", "libresolv.so.2", "libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "partial",
"pie": true,
"dso": true,
"safeStack": false
}
}
},
{
"id": "d8b4b0ee50a72f84",
"location": {
"path": "/bin/getconf",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": true,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "6681d507794b7a47",
"location": {
"path": "/lib/ld-linux-x86-64.so.2",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": [],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "fa1a2820b33b12fb",
"location": {
"path": "/lib/libc.so.6",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": true,
"importedLibraries": ["ld-linux-x86-64.so.2"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "99390ad40b63cca1",
"location": {
"path": "/lib/libm.so.6",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6", "ld-linux-x86-64.so.2"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "508efbee2c64181a",
"location": {
"path": "/lib/libnss_compat.so.2",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "e26d861c3630126f",
"location": {
"path": "/lib/libnss_dns.so.2",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "27d8277367f5811d",
"location": {
"path": "/lib/libnss_files.so.2",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "4e738b5ae019acd0",
"location": {
"path": "/lib/libnss_hesiod.so.2",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libresolv.so.2", "libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "8fd2d779fbd33180",
"location": {
"path": "/lib/libpthread.so.0",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": false,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
},
{
"id": "4ddab587142f1aa2",
"location": {
"path": "/lib/libresolv.so.2",
"layerID": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"executable": {
"format": "elf",
"hasExports": true,
"hasEntrypoint": false,
"importedLibraries": ["libc.so.6"],
"elfSecurityFeatures": {
"symbolTableStripped": true,
"stackCanary": true,
"nx": true,
"relRO": "full",
"pie": false,
"dso": true,
"safeStack": false
}
},
"unknowns": ["unknowns-labeler: no package identified in executable file"]
}
],
"source": {
"id": "70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6",
"name": "busybox",
"version": "sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6",
"type": "image",
"metadata": {
"userInput": "busybox:latest",
"imageID": "sha256:af3f0f48a24edb84e94aff6f44f5d089203453719d3b2328486d311e61db9b09",
"manifestDigest": "sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"tags": [],
"imageSize": 4425270,
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029",
"size": 4425270
}
],
"manifest": "ewoJInNjaGVtYVZlcnNpb24iOiAyLAoJIm1lZGlhVHlwZSI6ICJhcHBsaWNhdGlvbi92bmQub2NpLmltYWdlLm1hbmlmZXN0LnYxK2pzb24iLAoJImNvbmZpZyI6IHsKCQkibWVkaWFUeXBlIjogImFwcGxpY2F0aW9uL3ZuZC5vY2kuaW1hZ2UuY29uZmlnLnYxK2pzb24iLAoJCSJkaWdlc3QiOiAic2hhMjU2OmFmM2YwZjQ4YTI0ZWRiODRlOTRhZmY2ZjQ0ZjVkMDg5MjAzNDUzNzE5ZDNiMjMyODQ4NmQzMTFlNjFkYjliMDkiLAoJCSJzaXplIjogNDU5Cgl9LAoJImxheWVycyI6IFsKCQl7CgkJCSJtZWRpYVR5cGUiOiAiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5sYXllci52MS50YXIrZ3ppcCIsCgkJCSJkaWdlc3QiOiAic2hhMjU2OjYxZGZiNTA3MTJmNWZmOTJjODgwODEzMjEwMjU3YTQyMTY5ZmYwOTM3ODk2YWU5NWRhYjc2MzU4MmNjMzgwZTIiLAoJCQkic2l6ZSI6IDIyMTE2NTYKCQl9CgldLAoJImFubm90YXRpb25zIjogewoJCSJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudXJsIjogImh0dHBzOi8vZ2l0aHViLmNvbS9kb2NrZXItbGlicmFyeS9idXN5Ym94IiwKCQkib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlcnNpb24iOiAiMS4zNy4wLWdsaWJjIgoJfQp9Cg==",
"config": "ewoJImNvbmZpZyI6IHsKCQkiQ21kIjogWwoJCQkic2giCgkJXSwKCQkiRW52IjogWwoJCQkiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iCgkJXQoJfSwKCSJjcmVhdGVkIjogIjIwMjQtMDktMjZUMjE6MzE6NDJaIiwKCSJoaXN0b3J5IjogWwoJCXsKCQkJImNyZWF0ZWQiOiAiMjAyNC0wOS0yNlQyMTozMTo0MloiLAoJCQkiY3JlYXRlZF9ieSI6ICJCdXN5Qm94IDEuMzcuMCAoZ2xpYmMpLCBEZWJpYW4gMTMiCgkJfQoJXSwKCSJyb290ZnMiOiB7CgkJInR5cGUiOiAibGF5ZXJzIiwKCQkiZGlmZl9pZHMiOiBbCgkJCSJzaGEyNTY6NDk1YmEwMGYyNTQ3NDQ4ZDYyOWNlMGZmNDUxYjM1MmI4NzhkNGUzNjE2ZmMyNDM0NTg1OTUyZGJjMmJiZjAyOSIKCQldCgl9LAoJImFyY2hpdGVjdHVyZSI6ICJhbWQ2NCIsCgkib3MiOiAibGludXgiCn0K",
"repoDigests": [
"index.docker.io/library/busybox@sha256:b3255e7dfbcd10cb367af0d409747d511aeb66dfac98cf30e97e87e4207dd76f"
],
"architecture": "amd64",
"os": "linux"
}
},
"distro": {
"prettyName": "BusyBox v1.37.0",
"name": "busybox",
"id": "busybox",
"idLike": ["busybox"],
"version": "1.37.0",
"versionID": "1.37.0"
},
"descriptor": {
"name": "syft",
"version": "1.42.3",
"configuration": {
"catalogers": {
"requested": {
"default": ["image", "file"]
},
"used": [
"alpm-db-cataloger",
"apk-db-cataloger",
"binary-classifier-cataloger",
"bitnami-cataloger",
"cargo-auditable-binary-cataloger",
"conan-info-cataloger",
"dotnet-deps-binary-cataloger",
"dotnet-packages-lock-cataloger",
"dpkg-db-cataloger",
"elf-binary-package-cataloger",
"file-content-cataloger",
"file-digest-cataloger",
"file-executable-cataloger",
"file-metadata-cataloger",
"gguf-cataloger",
"go-module-binary-cataloger",
"graalvm-native-image-cataloger",
"homebrew-cataloger",
"java-archive-cataloger",
"java-jvm-cataloger",
"javascript-package-cataloger",
"linux-kernel-cataloger",
"lua-rock-cataloger",
"nix-cataloger",
"pe-binary-package-cataloger",
"php-composer-installed-cataloger",
"php-interpreter-cataloger",
"php-pear-serialized-cataloger",
"portage-cataloger",
"python-installed-package-cataloger",
"r-package-cataloger",
"rpm-db-cataloger",
"ruby-installed-gemspec-cataloger",
"snap-cataloger",
"wordpress-plugins-cataloger"
]
},
"data-generation": {
"generate-cpes": true
},
"files": {
"content": {
"globs": null,
"skip-files-above-size": 0
},
"hashers": ["sha-1", "sha-256"],
"selection": "owned-by-package"
},
"licenses": {
"coverage": 75,
"include-content": "none"
},
"packages": {
"binary": [
"python-binary",
"python-binary-lib",
"pypy-binary-lib",
"go-binary",
"julia-binary",
"helm",
"redis-binary",
"valkey-binary",
"nodejs-binary",
"busybox-binary",
"util-linux-binary",
"haproxy-binary",
"perl-binary",
"php-composer-binary",
"httpd-binary",
"memcached-binary",
"traefik-binary",
"arangodb-binary",
"postgresql-binary",
"mysql-binary",
"mysql-binary",
"mysql-binary",
"xtrabackup-binary",
"mariadb-binary",
"rust-standard-library-linux",
"rust-standard-library-macos",
"ruby-binary",
"erlang-binary",
"erlang-alpine-binary",
"erlang-library",
"swipl-binary",
"dart-binary",
"haskell-ghc-binary",
"haskell-cabal-binary",
"haskell-stack-binary",
"consul-binary",
"hashicorp-vault-binary",
"nginx-binary",
"bash-binary",
"openssl-binary",
"qt-qtbase-lib",
"gcc-binary",
"fluent-bit-binary",
"wordpress-cli-binary",
"curl-binary",
"lighttpd-binary",
"proftpd-binary",
"zstd-binary",
"xz-binary",
"gzip-binary",
"sqlcipher-binary",
"jq-binary",
"chrome-binary",
"ffmpeg-binary",
"ffmpeg-library",
"ffmpeg-library",
"elixir-binary",
"elixir-library",
"istio-binary",
"istio-binary",
"grafana-binary",
"grafana-binary",
"envoy-binary",
"mongodb-binary",
"java-binary",
"java-jdb-binary"
],
"dotnet": {
"dep-packages-must-claim-dll": true,
"dep-packages-must-have-dll": false,
"exclude-project-references": true,
"propagate-dll-claims-to-parents": true,
"relax-dll-claims-when-bundling-detected": true
},
"golang": {
"local-mod-cache-dir": "/root/go/pkg/mod",
"local-vendor-dir": "",
"main-module-version": {
"from-build-settings": true,
"from-contents": false,
"from-ld-flags": true
},
"proxies": ["https://proxy.golang.org", "direct"],
"search-local-mod-cache-licenses": false,
"search-local-vendor-licenses": false,
"search-remote-licenses": false,
"use-packages-lib": true
},
"java-archive": {
"include-indexed-archives": true,
"include-unindexed-archives": false,
"maven-base-url": "https://repo1.maven.org/maven2",
"maven-localrepository-dir": "/root/.m2/repository",
"max-parent-recursive-depth": 0,
"resolve-transitive-dependencies": false,
"use-maven-localrepository": false,
"use-network": false
},
"javascript": {
"include-dev-dependencies": false,
"npm-base-url": "https://registry.npmjs.org",
"search-remote-licenses": false
},
"linux-kernel": {
"catalog-modules": true
},
"nix": {
"capture-owned-files": false
},
"python": {
"guess-unpinned-requirements": false,
"pypi-base-url": "https://pypi.org/pypi",
"search-remote-licenses": false
}
},
"relationships": {
"exclude-binary-packages-with-file-ownership-overlap": true,
"package-file-ownership": true,
"package-file-ownership-overlap": true
},
"search": {
"scope": "squashed"
}
}
},
"schema": {
"version": "16.1.3",
"url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.1.3.json"
}
}
pkg:generic/busybox@1.37.0
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:9fa5814b-9755-42d1-b2de-6b1097988170",
"version": 1,
"metadata": {
"timestamp": "2026-03-22T02:59:47Z",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.42.3"
}
]
},
"component": {
"bom-ref": "4b5ca27620c16ae8",
"type": "container",
"name": "busybox",
"version": "sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6"
}
},
"components": [
{
"bom-ref": "pkg:generic/busybox@1.37.0?package-id=4bab6ea0b54dbcb0",
"type": "application",
"name": "busybox",
"version": "1.37.0",
"cpe": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*",
"purl": "pkg:generic/busybox@1.37.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "binary-classifier-cataloger"
},
{
"name": "syft:package:type",
"value": "binary"
},
{
"name": "syft:package:metadataType",
"value": "binary-signature"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"name": "syft:location:0:path",
"value": "/bin/["
}
]
},
{
"bom-ref": "os:busybox@1.37.0",
"type": "operating-system",
"name": "busybox",
"version": "1.37.0",
"description": "BusyBox v1.37.0",
"swid": {
"tagId": "busybox",
"name": "busybox",
"version": "1.37.0"
},
"properties": [
{
"name": "syft:distro:extendedSupport",
"value": "false"
},
{
"name": "syft:distro:id",
"value": "busybox"
},
{
"name": "syft:distro:idLike:0",
"value": "busybox"
},
{
"name": "syft:distro:prettyName",
"value": "BusyBox v1.37.0"
},
{
"name": "syft:distro:versionID",
"value": "1.37.0"
}
]
},
{
"bom-ref": "d314844960140844",
"type": "file",
"name": "/bin/[",
"hashes": [
{
"alg": "SHA-1",
"content": "8dd52ce79dfc02f4af697c25783fbf34e334fd97"
},
{
"alg": "SHA-256",
"content": "786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451"
}
]
}
]
}
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:26a2f9d8-e059-4a4e-96cb-ac6289d242c3" version="1">
<metadata>
<timestamp>2026-03-22T02:59:47Z</timestamp>
<tools>
<components>
<component type="application">
<author>anchore</author>
<name>syft</name>
<version>1.42.3</version>
</component>
</components>
</tools>
<component bom-ref="4b5ca27620c16ae8" type="container">
<name>busybox</name>
<version>sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6</version>
</component>
</metadata>
<components>
<component bom-ref="pkg:generic/busybox@1.37.0?package-id=4bab6ea0b54dbcb0" type="application">
<name>busybox</name>
<version>1.37.0</version>
<cpe>cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*</cpe>
<purl>pkg:generic/busybox@1.37.0</purl>
<properties>
<property name="syft:package:foundBy">binary-classifier-cataloger</property>
<property name="syft:package:type">binary</property>
<property name="syft:package:metadataType">binary-signature</property>
<property name="syft:location:0:layerID">sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029</property>
<property name="syft:location:0:path">/bin/[</property>
</properties>
</component>
<component bom-ref="os:busybox@1.37.0" type="operating-system">
<name>busybox</name>
<version>1.37.0</version>
<description>BusyBox v1.37.0</description>
<swid tagId="busybox" name="busybox" version="1.37.0"></swid>
<properties>
<property name="syft:distro:extendedSupport">false</property>
<property name="syft:distro:id">busybox</property>
<property name="syft:distro:idLike:0">busybox</property>
<property name="syft:distro:prettyName">BusyBox v1.37.0</property>
<property name="syft:distro:versionID">1.37.0</property>
</properties>
</component>
<component bom-ref="d314844960140844" type="file">
<name>/bin/[</name>
<hashes>
<hash alg="SHA-1">8dd52ce79dfc02f4af697c25783fbf34e334fd97</hash>
<hash alg="SHA-256">786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451</hash>
</hashes>
</component>
</components>
</bom>
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "busybox",
"documentNamespace": "https://anchore.com/syft/image/busybox-8a2bf822-31f9-48b2-914d-03abf2afea16",
"creationInfo": {
"licenseListVersion": "3.28",
"creators": ["Organization: Anchore, Inc", "Tool: syft-1.42.3"],
"created": "2026-03-22T02:59:48Z"
},
"packages": [
{
"name": "busybox",
"SPDXID": "SPDXRef-Package-binary-busybox-4bab6ea0b54dbcb0",
"versionInfo": "1.37.0",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from the following paths: /bin/[",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:generic/busybox@1.37.0"
}
]
},
{
"name": "busybox",
"SPDXID": "SPDXRef-DocumentRoot-Image-busybox",
"versionInfo": "sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/busybox@sha256%3A70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6?arch=amd64&tag=latest"
}
],
"primaryPackagePurpose": "CONTAINER"
}
],
"files": [
{
"fileName": "bin/[",
"SPDXID": "SPDXRef-File-bin---d314844960140844",
"fileTypes": ["APPLICATION", "BINARY"],
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "8dd52ce79dfc02f4af697c25783fbf34e334fd97"
},
{
"algorithm": "SHA256",
"checksumValue": "786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "bin/getconf",
"SPDXID": "SPDXRef-File-bin-getconf-d8b4b0ee50a72f84",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/ld-linux-x86-64.so.2",
"SPDXID": "SPDXRef-File-lib-ld-linux-x86-64.so.2-6681d507794b7a47",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libc.so.6",
"SPDXID": "SPDXRef-File-lib-libc.so.6-fa1a2820b33b12fb",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libm.so.6",
"SPDXID": "SPDXRef-File-lib-libm.so.6-99390ad40b63cca1",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libnss_compat.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-compat.so.2-508efbee2c64181a",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libnss_dns.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-dns.so.2-e26d861c3630126f",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libnss_files.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-files.so.2-27d8277367f5811d",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libnss_hesiod.so.2",
"SPDXID": "SPDXRef-File-lib-libnss-hesiod.so.2-4e738b5ae019acd0",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libpthread.so.0",
"SPDXID": "SPDXRef-File-lib-libpthread.so.0-8fd2d779fbd33180",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
{
"fileName": "lib/libresolv.so.2",
"SPDXID": "SPDXRef-File-lib-libresolv.so.2-4ddab587142f1aa2",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": ["NOASSERTION"],
"copyrightText": "NOASSERTION",
"comment": "layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-Package-binary-busybox-4bab6ea0b54dbcb0",
"relatedSpdxElement": "SPDXRef-File-bin---d314844960140844",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Image-busybox",
"relatedSpdxElement": "SPDXRef-Package-binary-busybox-4bab6ea0b54dbcb0",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-Image-busybox",
"relationshipType": "DESCRIBES"
}
]
}
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: busybox
DocumentNamespace: https://anchore.com/syft/image/busybox-487ce989-2b09-4cde-8e3d-003597fc6048
LicenseListVersion: 3.28
Creator: Organization: Anchore, Inc
Creator: Tool: syft-1.42.3
Created: 2026-03-22T02:59:48Z
##### Unpackaged files
FileName: bin/[
SPDXID: SPDXRef-File-bin---d314844960140844
FileType: APPLICATION
FileType: BINARY
FileChecksum: SHA1: 8dd52ce79dfc02f4af697c25783fbf34e334fd97
FileChecksum: SHA256: 786295804cdc6f04ce18325a96b2a7bf17ecc29d89fbb76d23b6f46370deb451
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: bin/getconf
SPDXID: SPDXRef-File-bin-getconf-d8b4b0ee50a72f84
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/ld-linux-x86-64.so.2
SPDXID: SPDXRef-File-lib-ld-linux-x86-64.so.2-6681d507794b7a47
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libc.so.6
SPDXID: SPDXRef-File-lib-libc.so.6-fa1a2820b33b12fb
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libm.so.6
SPDXID: SPDXRef-File-lib-libm.so.6-99390ad40b63cca1
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libnss_compat.so.2
SPDXID: SPDXRef-File-lib-libnss-compat.so.2-508efbee2c64181a
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libnss_dns.so.2
SPDXID: SPDXRef-File-lib-libnss-dns.so.2-e26d861c3630126f
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libnss_files.so.2
SPDXID: SPDXRef-File-lib-libnss-files.so.2-27d8277367f5811d
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libnss_hesiod.so.2
SPDXID: SPDXRef-File-lib-libnss-hesiod.so.2-4e738b5ae019acd0
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libpthread.so.0
SPDXID: SPDXRef-File-lib-libpthread.so.0-8fd2d779fbd33180
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
FileName: lib/libresolv.so.2
SPDXID: SPDXRef-File-lib-libresolv.so.2-4ddab587142f1aa2
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION
FileComment: layerID: sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-DocumentRoot-Image-busybox
PackageVersion: sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
PrimaryPackagePurpose: CONTAINER
FilesAnalyzed: false
PackageChecksum: SHA256: 70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:oci/busybox@sha256%3A70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6?arch=amd64&tag=latest
##### Package: busybox
PackageName: busybox
SPDXID: SPDXRef-Package-binary-busybox-4bab6ea0b54dbcb0
PackageVersion: 1.37.0
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from the following paths: /bin/[
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:busybox:busybox:1.37.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:generic/busybox@1.37.0
##### Relationships
Relationship: SPDXRef-Package-binary-busybox-4bab6ea0b54dbcb0 OTHER SPDXRef-File-bin---d314844960140844
RelationshipComment: evident-by: indicates the package's existence is evident by the given file
Relationship: SPDXRef-DocumentRoot-Image-busybox CONTAINS SPDXRef-Package-binary-busybox-4bab6ea0b54dbcb0
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Image-busybox
{
"version": 0,
"job": {},
"detector": {
"name": "syft",
"url": "https://github.com/anchore/syft",
"version": "1.42.3"
},
"metadata": {
"syft:distro": "pkg:generic/busybox@1.37.0?like=busybox"
},
"manifests": {
"busybox:latest:/bin/busybox": {
"name": "busybox:latest:/bin/busybox",
"file": {
"source_location": "busybox:latest:/bin/busybox"
},
"metadata": {
"syft:filesystem": "sha256:495ba00f2547448d629ce0ff451b352b878d4e3616fc2434585952dbc2bbf029"
},
"resolved": {
"pkg:generic/busybox@1.37.0": {
"package_url": "pkg:generic/busybox@1.37.0",
"relationship": "direct",
"scope": "runtime"
}
}
}
},
"scanned": "2026-03-22T02:59:49Z"
}
Writing output to files
Direct Syft output to a file instead of stdout by appending =<file> to the format option:
# Write JSON to a file
syft <source> -o json=sbom.json
# Write to stdout (default behavior)
syft <source> -o json
Multiple outputs
Generate multiple SBOM formats in a single run by specifying multiple -o flags:
syft <source> \
-o json=sbom.json \
-o spdx-json=sbom.spdx.json
You can both display to terminal and write to file:
syft <source> \
-o table \ # report to stdout
-o json=sbom.json # write to file
FAQ
Which format should I use?
- For human review: Use
table(default) for quick package lists - For automation and queries: Use
jsonto access all Syft data including file details, relationships, and metadata - For compliance and sharing: Use
spdx-jsonorcyclonedx-json- both are widely supported industry standards - For custom formats: Use
templateto create your own output format
Can I convert between formats?
Yes! See the Format Conversion guide to convert existing SBOMs between formats without re-scanning.
Do all formats contain the same information?
No. Syft’s native json format contains the most complete information. Standard formats (SPDX, CycloneDX) contain package data but may not include all file details or Syft-specific metadata. Some data may be omitted or transformed to fit the target schema.
Which version should I use for SPDX or CycloneDX?
Use the latest version (default) unless you need compatibility with specific tools that require older versions. Check your downstream tools’ documentation for version requirements.
Next steps
Continue the guide
Next: Explore Working with Syft JSON to learn how to query and extract specific data from Syft’s native format using jq.Additional resources:
- Custom formats: Learn about customizing output with templates for specialized formats
- Convert formats: See Format Conversion to convert between different SBOM formats
- Advanced settings: Check configuration options for format-specific settings