Syft Module#
The Syft module creates SyftPackage nodes with DEPENDS_ON dependency relationships from Syft.
Purpose#
While Trivy provides vulnerability scanning and creates TrivyPackage nodes with CVE findings, it lacks dependency relationship information. Syft complements Trivy by creating SyftPackage nodes with DEPENDS_ON relationships between them.
This enables powerful queries like browsing the dependency tree and identifying direct vs transitive dependencies.
Usage#
Generate Syft Output#
# Generate Syft JSON for an image
syft nginx:latest -o syft-json=nginx-syft.json
Run Cartography#
# With local files
cartography --syft-source ./results
# With S3
cartography --syft-source s3://my-bucket/syft/
Key Queries#
Browse the SyftPackage dependency tree#
MATCH path = (p:SyftPackage)-[:DEPENDS_ON*1..5]->(dep:SyftPackage)
WHERE NOT exists((p)<-[:DEPENDS_ON]-())
RETURN path
Find all SyftPackages that depend on a specific package#
MATCH (upstream:SyftPackage)-[:DEPENDS_ON*1..10]->(dep:SyftPackage {name: 'lodash'})
RETURN DISTINCT upstream.name
Schema#
See schema.md for details on created nodes and relationships.