Hey folks. We've been standardizing our SBOM pipeline for Claw deployments and narrowed the tooling choice down to two main contenders: Syft and cyclonedx-cli. Both can output CycloneDX, which is our format of choice for ingestion into our artifact registry.
Here’s a quick breakdown of our experience so far:
**Syft**
* Great for direct container image and filesystem scanning. It just *understands* containers.
* Generates SBOMs from a huge variety of package ecosystems out of the box.
* The CLI is straightforward. For our base agent image, it's as simple as:
```bash
syft claw-agent:latest -o cyclonedx-json > sbom.claw-agent.cdx.json
```
* We found it particularly good at picking up OS packages (deb, rpm, apk) alongside language-specific dependencies, which is crucial for our runtime.
**cyclonedx-cli**
* More of a format-focused tool and converter. It's excellent if you have existing SBOMs or need to merge/validate them.
* Its power comes from acting as a central hub. You can feed it output from other scanners and normalize to CycloneDX or SPDX.
* We used it to generate an SBOM for our API gateway configs (a mix of YAML and binaries) by first using other analyzers, then piping into `cyclonedx-cli`.
* The validation and diff features are solid for pipeline checks.
Our current thinking is to use **Syft for the initial SBOM generation** from container images and built artifacts, given its deep scanning capability. Then, we might use **cyclonedx-cli in the pipeline** for validation and merging multiple SBOMs before signing with Sigstore.
Has anyone else run both in production, especially for agent-style workloads? I'm curious about performance on slim images and if anyone has hit any snags with dependency detection for frameworks like LangChain or Dify, where the line between application code and library can get blurry.