internal/capabilities/README.md
This documentation describes the format and structure of cataloger capabilities YAML files.
Capabilities are organized as follows:
syft/pkg/cataloger/*/capabilities.yaml (one file per ecosystem, alongside the cataloger source code: golang/capabilities.yaml, python/capabilities.yaml, etc.)internal/capabilities/appconfig.yamlEach capabilities.yaml file is partially auto-generated. Run go generate ./internal/capabilities to regenerate.
There are two types of capability sections depending on cataloger type:
type: generic)type: custom)Capabilities use a field-based format with defaults and optional conditional overrides:
capabilities:
- field: <field-name> # dot-notation path (e.g., "license", "dependency.depth")
default: <value> # value when no conditions match
conditions: # optional - conditional overrides evaluated in order
- when: {ConfigField: val} # when these config fields match (AND logic)
value: <override-value> # use this value instead
comment: "explanation" # optional - why this condition exists
evidence: # optional - source code references
- "StructName.FieldName"
comment: "explanation" # optional - general field explanation
Detectors (used by custom catalogers) can have optional conditions that control when they are active. This allows a single cataloger to have different detection behavior based on configuration.
detectors:
- method: glob # AUTO-GENERATED - detection method
criteria: ["**/*.jar"] # AUTO-GENERATED - patterns to match
comment: "always active" # MANUAL - optional explanation
- method: glob
criteria: ["**/*.zip"]
conditions: # MANUAL - when this detector is active
- when: {IncludeZipFiles: true} # config fields that must match
comment: "optional explanation"
comment: "ZIP detection requires config"
when clause use AND logic (all must match)when clause use AND logic (all must match)Standard capability field names and their value types:
license (boolean)Whether license information is available.
Examples:
default: true # always available
default: false # never available
default: false # requires configuration
conditions:
- when: {SearchRemoteLicenses: true}
value: true
dependency.depth (array of strings)Which dependency depths can be discovered.
Values: direct (immediate deps), indirect (transitive deps)
Examples:
default: [direct] # only immediate dependencies
default: [direct, indirect] # full transitive closure
default: [] # no dependency information
dependency.edges (string)Relationships between nodes and completeness of the dependency graph.
Values:
"" - dependencies found but no edges between them"flat" - single level of dependencies with edges to root package only"reduced" - transitive reduction (redundant edges removed)"complete" - all relationships with accurate direct and indirect edgesExamples:
default: complete
default: ""
dependency.kinds (array of strings)Types of dependencies that can be discovered.
Values: runtime, dev, build, test, optional
Examples:
default: [runtime] # production dependencies only
default: [runtime, dev] # production and development
default: [runtime, dev, build] # all dependency types
default: [runtime] # with conditional dev deps
conditions:
- when: {IncludeDevDeps: true}
value: [runtime, dev]
package_manager.files.listing (boolean)Whether file listings are available (which files belong to the package).
Examples:
default: true
default: false
conditions:
- when: {CaptureOwnedFiles: true}
value: true
package_manager.files.digests (boolean)Whether file digests/checksums are included in listings.
Examples:
default: true
default: false
package_manager.package_integrity_hash (boolean)Whether a hash for verifying package integrity is available.
Examples:
default: true
default: false
capabilities:
- name: license
default: true
comment: "license field always present in package.json"
- name: dependency.depth
default: [direct]
- name: dependency.edges
default: ""
- name: dependency.kinds
default: [runtime]
comment: "devDependencies not parsed by this cataloger"
- name: package_manager.files.listing
default: false
- name: package_manager.files.digests
default: false
- name: package_manager.package_integrity_hash
default: false
capabilities:
- name: license
default: false
conditions:
- when: {SearchLocalModCacheLicenses: true}
value: true
comment: "searches for licenses in GOPATH mod cache"
- when: {SearchRemoteLicenses: true}
value: true
comment: "fetches licenses from proxy.golang.org"
comment: "license scanning requires configuration"
- name: dependency.depth
default: [direct, indirect]
- name: dependency.edges
default: flat
- name: dependency.kinds
default: [runtime, dev]
- name: package_manager.files.listing
default: false
- name: package_manager.files.digests
default: false
- name: package_manager.package_integrity_hash
default: true
evidence:
- "GolangBinaryBuildinfoEntry.H1Digest"