Syft

by Anchore Incv1.45.1

Last updated Jun 8, 2026

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Install with winget

$ winget install --id Anchore.Syft --exact --version 1.45.1

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.

Installers · v1.45.1

Architecture	Type	Scope	Install	Download
x64	ZIP archive	-		Direct
arm64	ZIP archive	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

2 known CVEs via NVD

medium5.3Patched in wingetCVE-2026-33481affects before 1.42.3Mar 26, 2026
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Sy...
Patch Vendor advisory
medium6.5Patched in wingetCVE-2023-24827affects v0.69.0Feb 6, 2023
syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment va...
Patch Vendor advisory

Source: NVD, updated 2h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr.

Related apps

G
GrypeAnchore Inc
Anchore.Grypev0.114.0
A vulnerability scanner for container images and filesystems
Q
QuillAnchore Inc
Anchore.Quillv0.7.1
Simple mac binary signing from any platform
Ente Authente
ente-io.auth-desktopv4.4.23
Open source 2FA authenticator, with end-to-end encrypted backups.
Tesseract-OCR - open source OCR engineTesseract-OCR community
tesseract-ocr.tesseractv5.5.0.20241111
Tesseract Open Source OCR Engine
O
Ollama (Portable)Ollama
Ollama.Ollama.Portablev0.20.2
Start building with open models.
P
pixiprefix-dev
prefix-dev.pixiv0.70.2
A cross-platform, multi-language package manager and workflow tool

More from Anchore Inc or browse containers, cyclonedx, docker.

Frequently asked questions

How do I install Syft on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id Anchore.Syft --exact --version 1.45.1. winget downloads the installer from Anchore Inc and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Syft silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id Anchore.Syft --exact 1.45.1 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall Syft via winget?

Run: winget uninstall --id Anchore.Syft --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Syft's Apps & Features entry.

Is Syft free?

Syft is distributed under Apache-2.0. Refer to the publisher (https://github.com/anchore/syft) for the full license terms - Wingetly itself does not charge for installation.

Does Syft work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Syft directly from the publisher.

How do I keep Syft up to date?

Run winget upgrade --id Anchore.Syft --exact, or winget upgrade --all to update everything winget tracks. We index 10 versions of Syft from microsoft/winget-pkgs.

Recent versions

1.45.1latest
1.45.0
1.44.0
1.43.0
1.42.4
1.42.3
1.42.2
1.42.1
1.42.0
1.41.2