Syft SBOM Collector
Generate Software Bill of Materials automatically or detect existing Syft SBOM generation in CI pipelines. Supports CycloneDX and SPDX formats with license detection for Go, Java, Node.js, and Python.
syft to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/syft@v1.0.0
What This Integration Collects
This integration includes 2 collectors that gather metadata from your systems.
generate
Auto-generates a CycloneDX SBOM using Syft. Enables remote license lookups for Go, Java, Node.js, and Python. Writes full SBOM to .sbom.auto.cyclonedx with source metadata.
ci
Detects Syft execution in CI pipelines. Records source metadata to .sbom.cicd and optionally collects the generated SBOM file if the output path can be determined from command flags.
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"sbom": {
"auto": {
"source": { "tool": "syft", "integration": "code", "version": "1.41.2" },
"cyclonedx": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"name": "github.com/sirupsen/logrus",
"version": "v1.9.3",
"licenses": [{ "license": { "id": "MIT" } }]
}
]
}
},
"cicd": {
"source": { "tool": "syft", "integration": "ci", "version": "1.41.2" },
"cyclonedx": { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [] }
}
}
}Documentation
View on GitHubSyft SBOM Collector
Generate or detect CycloneDX/SPDX SBOMs using Anchore Syft.
Overview
This collector generates Software Bill of Materials (SBOMs) automatically using Syft, or detects existing Syft runs in CI pipelines. It supports CycloneDX and SPDX formats with remote license detection for Go, Java, Node.js, and Python projects. The generate sub-collector runs on every code push, while the ci sub-collector detects when Syft is already part of your CI pipeline.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.sbom.auto.source |
object | Source metadata for auto-generated SBOMs |
.sbom.auto.cyclonedx |
object | Full CycloneDX JSON from auto-generation |
.sbom.cicd.source |
object | Source metadata for CI-detected SBOMs |
.sbom.cicd.cyclonedx |
object | CycloneDX JSON collected from CI output |
.sbom.cicd.spdx |
object | SPDX JSON collected from CI output |
Collectors
This integration provides the following collectors (use include to select a subset):
| Collector | Description |
|---|---|
generate |
Auto-generates a CycloneDX SBOM using Syft (code hook) |
ci |
Detects Syft execution in CI pipelines (ci-after-command hook) |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/syft@main
on: ["domain:engineering"]
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore guardrails that use data from Syft SBOM Collector.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements