Container Scanning With Syft

When talking about container scanning it’s important to make a clear distinction between runtime scanning and static source code or filesystem analysis. The first one focuses on actively running containers, whereas the second one, which is the approach we take, focuses on analysing contents of the container before its deployed. Scanning files early in the development process is very important to identify risks, licensing issues, and outdated components before they reach production. By shifting left in the pipeline, organisations can prevent costly re-work, maintain compliance with complex licence obligations and reduce the likelihood of introducing vulnerable libraries into live environments.

At the heart of this approach is Syft, an open source CLI tool developed by Anchore that generates a detailed Software Bill of Materials (SBOM) for container images and local project directories. Without ever executing a single line of code inside the container, Syft analyses the image or directory structure to count every package—whether an Alpine APK, Debian DEB, RPM, Go module, Python wheel or Java JAR. That raw inventory then flows through SCANOSS’s software intelligence, where each component is enriched with our deep, curated knowledge of licensing obligations, security vulnerabilities, cryptographic usage and contributor provenance.

Much like our use of Scancode for licence analysis, Syft is embedded in our tooling as a behind-the-scenes worker. We incorporate it into our processes to avoid “black box” scanners and deliver transparent, standardised data that integrates seamlessly into CI/CD workflows, reflecting our broader philosophy: To leverage the work done in the open source world, rather than reinventing the wheel with proprietary code.

In practice, a Node.js-based backend service can be containerised and scanned using Syft to generate an SBOM. That SBOM is then enriched using SCANOSS’s own software intelligence as part of the CI workflow.. Within seconds, the pipeline halts if any transitive npm package breaches your licence policy or if a critical CVE is detected. For example, if a dependency brings in an incompatible GPL-licensed module, our intelligence layer pinpoints that licence conflict. If a patched OpenSSL vulnerability exists within an indirect dependency, it flags the specific CVE and offers remediation guidance. Developers receive instant feedback in the merge request, allowing them to address issues before code merges or reaches production.

This form of source-level container analysis is complementary to other methods but offers unique advantages. It’s repeatable, version-controllable, and decoupled from runtime behaviour, which means it fits neatly into CI pipelines.

By enriching the SBOM generation with our ever-evolving software intelligence database, SCANOSS empowers teams to manage open source risk with confidence, transparency and minimal overhead—without needing proprietary scanners. The result is an automated, standardised governance framework that keeps pace with changes in open source, scales with your organisation, and aligns with DevSecOps best practices.