Dockle vs Syft
GitHub Stats
About Dockle
Dockle is a container image linter for security, helping build the best practice Docker/OCI image. It checks built container images for security issues and best practice violations based on the CIS Docker Benchmark and additional security checks. Unlike Dockerfile linters that only analyze the build instructions, Dockle inspects the actual built image, catching issues like credentials left in image layers, unnecessary setuid/setgid binaries, missing USER directives (running as root), writable executables, and unused environment variables containing secrets. Dockle outputs clear, actionable findings with severity levels (FATAL, WARN, INFO) and references to CIS benchmark sections. It integrates easily into CI/CD pipelines, supports JSON output for automation, and can be configured with an ignore file for accepted risks. Dockle fills the gap between Dockerfile linting (like Hadolint) and runtime scanning (like Falco).
About Syft
Syft is a CLI tool and Go library from Anchore for generating a Software Bill of Materials (SBOM) from container images and filesystems. It catalogues all packages, libraries, and dependencies present in a container image or directory, producing structured output in SPDX, CycloneDX, or Syft's native JSON format. Syft supports package detection for Alpine (apk), Debian (dpkg), Red Hat (rpm), Python (pip/poetry/pipenv), JavaScript (npm/yarn), Java (Maven/Gradle), Go modules, Rust (Cargo), Ruby (Gems), .NET (NuGet), and many other package ecosystems. SBOMs are increasingly required for software supply chain security compliance, and Syft integrates with Grype (Anchore's vulnerability scanner) to check the generated SBOM against known vulnerability databases. This pairing provides a complete supply chain security workflow: know what you're running (Syft) and whether it's vulnerable (Grype).
Platform Support
Tags
Dockle only
Syft only