This is an unofficial Syft orb used for installing Syft in your CircleCI pipeline and producing SBOMs for container images. Contributions are welcome!
- Least Privilege: Installs to a user-owned directory by default, with no
sudousage anywhere in this orb. - Integrity: Checksum validation of all downloaded binaries using SHA-512.
- Provenance: Installs directly from Syft's official releases page on GitHub. No third-party websites, domains, or proxies are used.
- Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
- Privacy: No usage data of any kind is collected or shipped back to the orb developer.
Info for security teams:
- Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
github.com: For download and installation of the Syft tool.