SBOM container tools comparison

Jakub_Bochenski · September 2, 2025, 4:13pm

I put together a comparison of container scanning tools: GitHub - jakub-bochenski/container-sbom-shootout: Comparison of different tools for generating CycloneDX SBOMs for container images.

I’m looking for feedback — if you have ideas on improving the comparison or know how any of the tools could be configured for better results, I’d love to hear your thoughts!

I think Syft comes out on top, but I’ll let the results speak for themselves

The comparison uses some popular public images, using specially crafted images with controlled contents would be better, but I didn’t find time for it.

popey · September 8, 2025, 4:39pm

Thanks for sharing this @Jakub_Bochenski - I’ll certainly be taking a look.

kzantow · September 9, 2025, 1:22pm

Thanks @Jakub_Bochenski – if there are any areas where you think Syft can improve, please do let us know!

Topic		Replies	Views
Does Syft automaticaly detects existing SBOM files? Syft	1	72	March 20, 2025
Unable to detect nghttp2, brotli, and sqlite components in a container image SBOM Syft	3	41	January 14, 2025
Syft is not scanning jar files which are integrated to docker image Syft	16	57	October 30, 2025
September 25th \| Open Source Gardening \| Live Stream General	1	20	September 26, 2025
Components missing from CycloneDX json format SBOM when generation is part of a test Syft	5	43	September 9, 2025

SBOM container tools comparison

Related topics