When creating a Software Bill of Materials (SBOM) for your Python application, one of the best tools to use is Syft.


Recommended Tool: Syft

Syft is a CLI tool and Go library for generating Software Bill of Materials (SBOM) from container images and filesystems. Our Timesys embedded experts tested Syft within a Python ecosystem to determine how well Syft held up in producing a well-rounded SBOM.

In our testing, a 1.4 CycloneDX SBOM generated by Syft was the most well-formed SBOM found.


Why Syft?

  • In our testing, Syft correctly identifies and reported the expected packages
  • Virtual environments can be scanned for packages in addition to specifying a requirements.txt file
  • Syft is able to identify licenses for packages when creating a SBOM from a project source or directory scan
  • Syft SBOMs contain CPE and PURL data to improve the accuracy of vulnerability identification



  • Correctly identifies and reports all the packages from pip requirements.txt files.
  • Can scan and report all Python packages installed in a Python virtual environment by passing the related directory.
  • Accurately reports Python package versions in both types of scan (requirements.txt and source/directory scan).
  • Reports licenses of most of the packages from a project source/directory scan
  • SBOM contains CPE and PURL data


Data Collected

Python package fields reported in a CycloneDX SBOM (source/directory scan with JSON o/p file format)

  • bom-ref
  • type
  • author
  • name
  • version
  • licenses
  • cpe
  • purl
  • properties

At the time of this evaluation, Syft did not generate a NTIA-compliant SBOM. Below are the missing fields for NTIA compliance from a cycloneDX source/directory scan with JSON format SBOM.

  • Supplier
  • Dependency relationships


SBOM Formats

Syft generates valid SBOMs for the below industry standard SBOM formats, versions, and file formats.

Supported SBOM formats Versions File formats
CycloneDX 1.4 JSON, XML
SPDX 2.2, 2.3 JSON, tag-value


Ease of use

  • Adequate documentation is available on github to set up and use the tool.
  • Short setup time – directly Syft binaries could be downloaded from github for Windows and Linux operating systems.
  • Quick SBOM generation time – could vary from less than a minute to a few minutes
  • Active community support – Out of the tools evaluated, Syft has maximum popularity (4.7k* stars, 432* forks, and 150* releases on github) and is in active development.

* at the time of writing this blog



Besides Python, Syft supports multiple ecosystems. See this link for the complete list. It can perform both directory scans as well as Python requirements.txt scans.


Honorable mentions

The below SBOM generation tools are better than Syft for the listed use cases:

  • Cyclone-dx-python – Python package licenses identification
  • Microsoft’s sbom-tool– Maximum number of package fields in the SBOM


Miscellaneous thoughts

Though Syft supports both SPDX and CycloneDX SBOM formats and can perform directory and requirements.txt scan, it’s better at directory scan with CycloneDX output.

  • Python packages installed as dependencies of requirements.txt packages are also populated in the SBOM
  • Package licenses are also reported which are missing in the requirements.txt scan


Tools evaluated

  • Syft (version – 0.75.0)
  • cyclonedx-python (version – 11.0)
  • cdxgen (version – 2.0)
  • sbom-tool (version – 0.3.3)




How Can You Further Elevate Your SBOM Generation? With Vigiles-CLI!

To further elevate your SBOM generation and management experience with Vigiles, our comprehensive SCA tool, we’re thrilled to introduce the Vigiles Command-Line Interface (CLI) – a game-changing addition designed to revolutionize your interaction with Vigiles APIs.

This new CLI seamlessly integrates with third-party SBOM generation tools, such as syft, paving the way for a smoother and more efficient workflow. Redefine your SCA management experience and take the first step towards a more secure future by trying Vigiles Prime for 30 Days for free today!