Syft for SBOM Generation

"Syft for SBOM Generation: Producing Accurate Inventories from Real Artifacts"
SBOMs are easy to generate and hard to trust. This book is for experienced security engineers, platform teams, and DevSecOps practitioners who need SBOMs that hold up under audits, incident response, and automated policy enforcement—because they are derived from the actual artifacts you ship. It treats SBOM generation as an engineering discipline, not a checkbox, and shows how Syft fits into real-world supply-chain workflows where drift, ambiguity, and tool churn can quietly break correctness.
You’ll learn how Syft’s scanning pipeline works end-to-end—sources, catalogers, normalization, and serialization—so you can reason about where inaccuracies originate. The book dives into deterministic execution (pinning versions, repeatable runs), artifact targeting and scope (images vs filesystems, layer semantics), and controlling discovery through cataloger selection, overrides, and performance tuning. It also covers format strategy and metadata fidelity: choosing SPDX/CycloneDX/Syft JSON wisely, producing stable identifiers (PURLs/CPEs), and handling relationships without over-claiming dependencies. Advanced chapters show how to use Syft JSON as a lossless archive, convert without silent data loss, and implement rigorous SBOM QA with golden samples, diffs, and regression tests.
Prerequisites include comfort with containers, CI/CD, and software packaging ecosystems. Practical guidance extends to trusted delivery: DSSE/in-toto attestations, Cosign signing and verification, release-time pipeline placeme