anchore/syft

Syft is an infrastructure-grade security tool with significant market penetration (8.6k+ stars, 800+ forks) and high velocity. Its defensibility stems from the 'long tail' of package manager support; the project maintains dozens of specialized catalogers for various languages (Go, Java, Python, Rust, etc.) and package formats, which is a massive maintenance burden that acts as a moat. It is a de facto standard in the DevSecOps ecosystem, often used in conjunction with Grype for vulnerability scanning. While cloud providers like AWS and GitHub offer native SBOM features, Syft remains the preferred choice for vendor-neutral, local-first, and CI-integrated workflows. The primary competitor is Aqua Security's Trivy, but Syft's focus on being a specialized cataloger rather than a full security platform gives it a distinct niche. Frontier labs are unlikely to compete here as this is a low-level infrastructure problem far removed from their core LLM focus. Platform domination risk is 'medium' only because GitHub or GitLab could eventually embed a similar engine so deeply that standalone CLI tools lose some utility, but Syft's integration as a Go library makes it highly portable.