Sachith Dassanayake Software Engineering SBOMs and supply‑chain basics (Syft/Grype) — Production Hardening — Practical Guide (Dec 17, 2025)

SBOMs and supply‑chain basics (Syft/Grype) — Production Hardening — Practical Guide (Dec 17, 2025)

December 17, 2025December 17, 2025| SachithSachith| 0 Comment | 9:01 am
Categories:

SBOMs and supply‑chain basics (Syft/Grype) — Production Hardening — Practical Guide (Dec 17, 2025)

SBOMs and supply‑chain basics (Syft/Grype) — Production Hardening

SBOMs and supply‑chain basics (Syft/Grype) — Production Hardening

Level: Intermediate

Date: 17 December 2025

Software Bill of Materials (SBOMs) have become indispensable in securing modern software supply chains. Tools like Syft and Grype have emerged as robust, open-source solutions to generate and assess SBOMs — critical steps in production hardening efforts. This article covers the fundamentals of SBOMs, how to practically use Syft and Grype (as of versions 0.85.0+), common pitfalls, validation approaches, and a checklist to ensure your production workloads are hardened effectively.

Prerequisites

This guide assumes:

  • Familiarity with containerisation concepts and Linux command line basics.
  • Access to a Unix-like environment (Linux/macOS). Syft and Grype work on Windows, but commands here use bash syntax.
  • Installed Syft v0.85.0+ and Grype v0.70.0+. These versions include essential stability and bug fixes relevant to production use.
  • Basic knowledge of software dependencies and security vulnerabilities.

Hands-on steps

Step 1: Generating an SBOM with Syft

Syft creates software bill of materials from images, filesystems, directories, and more. The most common use case: extract an SBOM from a container image to understand what components it includes.

syft  -o json > sbom.json

Example:

syft alpine:3.18 -o json > alpine-sbom.json

Syft supports multiple output formats (json, spdx-json, cyclonedx, table, etc.). json format is generally preferred for automated workflows.

Step 2: Scanning for vulnerabilities with Grype

Grype consumes SBOMs or images directly to detect known vulnerabilities.

# Scan image directly
grype  -o table

# Or scan from SBOM file
grype sbom:sbom.json -o json > vulns.json

Grype’s default vulnerability database (anchore) is updated regularly. You can specify a custom database mirror or sync interval if required, especially in air-gapped environments.

Step 3: Integrate into CI/CD pipelines

Automating SBOM generation and vulnerability scanning on each build ensures continuous visibility and compliance.

# Example GitHub Actions snippet:
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Build image
        run: docker build -t myapp:latest .
      - name: Generate SBOM
        run: syft myapp:latest -o json > sbom.json
      - name: Scan vulnerabilities
        run: grype sbom:sbom.json -o table

Both tools have CLI configuration flags for output formats, filtering, and threshold control.

Common pitfalls

  • Incorrect image referencing: Using local images without pushing them may cause issues in certain CI environments unless docker is properly configured.
  • Outdated vulnerability databases: Always check the freshness of Grype’s vulnerability data. Use grype db update regularly or pin versions for reproducibility.
  • Ignoring transitive dependencies: Both Syft and Grype attempt to capture all dependencies, but some language ecosystems with native or compiled dependencies might require additional tooling.
  • Over-reliance on SBOM format: While CycloneDX and SPDX formats cater to different standards, interoperability can sometimes be imperfect. Choose the format that aligns with your tooling and compliance needs.

Validation

Validation encompasses three aspects: SBOM accuracy, vulnerability detection reliability, and continued integration.

Validating SBOM completeness

Compare Syft’s generated SBOM contents against expected dependency lists from your build system (e.g., npm list, pip freeze, or OS package managers). Spot-check for missing or unexpected components.

Confirming vulnerability scan results

Cross-reference Grype results with other vulnerability scanners (e.g., Trivy, Clair) to catch false positives or false negatives. Use multiple scanners if your security policy requires it.

Automated regression testing

Integrate Syft and Grype scans in pre-release pipelines and block deployments if critical vulnerabilities exist or SBOM submission requirements are not met.

Checklist / TL;DR

  • Install Syft (v0.85.0+) and Grype (v0.70.0+).
  • Generate SBOMs from images or filesystems with syft <image> -o json > sbom.json.
  • Scan SBOMs or images for vulnerabilities: grype sbom:sbom.json or grype <image>.
  • Automate SBOM and vulnerability scanning in CI/CD pipelines.
  • Keep vulnerability databases updated.
  • Choose SBOM formats (e.g., SPDX vs CycloneDX) based on compliance and tools.
  • Validate SBOMs against known dependencies; verify scan results with multiple scanners if practical.
  • Use scanning results to block releases with high-risk vulnerabilities or mismatched SBOMs.

When to choose Syft vs alternatives

Syft stands out for its fast SBOM generation speed, broad ecosystem support (OS packages, language-specific packages), and integration with Grype. Alternatives like CycloneDX CLI or Trivy have their strengths. For instance, Trivy combines scanning and SBOM generation but with different performance trade-offs. Choose based on your environment, supported ecosystems, and compliance requirements.

References

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Post