Syft Module#

The Syft module creates SyftPackage nodes with DEPENDS_ON dependency relationships from Syft.

Purpose#

While Trivy provides vulnerability scanning and creates TrivyPackage nodes with CVE findings, it lacks dependency relationship information. Syft complements Trivy by creating SyftPackage nodes with DEPENDS_ON relationships between them.

This enables powerful queries like browsing the dependency tree and identifying direct vs transitive dependencies.

Usage#

Generate Syft Output#

# Generate Syft JSON for an image
syft nginx:latest -o syft-json=nginx-syft.json

Run Cartography#

# With local files
cartography --syft-source ./results

# With S3
cartography --syft-source s3://my-bucket/syft/

Key Queries#

Browse the SyftPackage dependency tree#

MATCH path = (p:SyftPackage)-[:DEPENDS_ON*1..5]->(dep:SyftPackage)
WHERE NOT exists((p)<-[:DEPENDS_ON]-())
RETURN path

Find all SyftPackages that depend on a specific package#

MATCH (upstream:SyftPackage)-[:DEPENDS_ON*1..10]->(dep:SyftPackage {name: 'lodash'})
RETURN DISTINCT upstream.name

Schema#

See schema.md for details on created nodes and relationships.