Syft

Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.

🚀 Usage

Add the following command to your CI configuration file:

fluentci run --wasm syft scan hashicorp/terraform:latest -o spdx-json=syft-report.json

Commands

Name	Description
scan	Generate an SBOM

Code examples

Add fluentci-pdk crate to your Cargo.toml:

[dependencies]
fluentci-pdk = "0.2.1"

Use the following code to call a module function:

use fluentci_pdk::dag;

// ...

dag().call(
  "https://pkg.fluentci.io/[email protected]?wasm=1",
  "scan",
  vec!["hashicorp/terraform:latest", "-o", "spdx-json=syft-report.json"],
);

CI/CD Integration

The following example shows how to integrate FluentCI with popular CI providers to generate an SBOM using Syft:

Github Actions
GitLab CI
Circle CI
Azure Pipelines
AWS CodePipeline

ci.yml
name: ci
on:
  push:
    branches:
      - main
jobs:
  tasks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup Fluent CI
        uses: fluentci-io/setup-fluentci@v5
        with:
          wasm: true
          plugin: syft
          args: |
            scan hashicorp/terraform:latest -o spdx-json=syft-report.json
      

.gitlab-ci.yml

.docker:
  image: denoland/deno:debian-1.42.4
  services:
    - docker:${DOCKER_VERSION}-dind
  variables:
    DOCKER_HOST: tcp://docker:2376
    DOCKER_TLS_VERIFY: "1"
    DOCKER_TLS_CERTDIR: /certs
    DOCKER_CERT_PATH: /certs/client
    DOCKER_DRIVER: overlay2
    DOCKER_VERSION: 20.10.16
    GITLAB_ACCESS_TOKEN: $GITLAB_ACCESS_TOKEN
.fluentci:
  extends: .docker
  before_script:
    - apt-get update
    - apt-get install -y curl tar gzip ca-certificates openssl git unzip libncursesw6
    - deno install -A -r https://cli.fluentci.io -n fluentci
    - fluentci --version
    - curl -L https://dl.dagger.io/dagger/install.sh | DAGGER_VERSION=0.12.3 sh
    - mv bin/dagger /usr/local/bin
    - dagger version
scan:
  extends: .fluentci
  script:
    - fluentci run --wasm syft scan hashicorp/terraform:latest -o spdx-json=syft-report.json

.circleci/config.yml
version: 2.1
jobs:
  job:
    steps:
      - checkout
      - run: |
          sudo apt-get update && sudo apt-get install -y curl unzip
          curl -fsSL https://cli.fluentci.io | bash
          fluentci --version
        name: Setup FluentCI
      - run: fluentci run --wasm syft scan hashicorp/terraform:latest -o spdx-json=syft-report.json
        name: generate sbom
    machine:
      image: ubuntu-2004:2023.07.1
workflows:
  fluentci:
    jobs:
      - job

azure-pipelines.yml
trigger:
  - main
pool:
  vmImage: ubuntu-latest
steps:
  - script: |
      curl -fsSL https://cli.fluentci.io | bash
      fluentci --version
      echo "##vso[task.prependpath]${HOME}/.deno/bin
    displayName: Setup FluentCI
  - script: |
      fluentci run --wasm syft scan hashicorp/terraform:latest -o spdx-json=syft-report.json
    displayName: generate sbom

buildspec.yml
version: 0.2
phases:
  install:
    commands:
      - curl -fsSL https://cli.fluentci.io | bash
      - fluentci --version
  build:
    commands:
      - fluentci run --wasm syft scan hashicorp/terraform:latest -o spdx-json=syft-report.json
  post_build:
    commands:
      - echo Build completed on `date`

🚀 Usage​

Commands​

Code examples​

CI/CD Integration​

🚀 Usage

Commands

Code examples

CI/CD Integration