Per commit performance tests

Syft
1

After a conversation with @kzantow on Syft issue 3636 I made a little python script called measure-syft. It has two purposes:

  1. Compare the base performance of the main branch, and a pending pull request - such as we did here
  2. Compare the last stable release with each commit to main, to see if performance has changed at all.

As a test, I ran it with a fairly conservative container - the nextcloud:latest one. That means there’s not a huge difference between each commit. Here’s the result.

Syft Performance Test Results

Date: 2025-02-07 16:24:58
Container: docker.io/nextcloud:latest
Environment Variables:

  • SYFT_CHECK_FOR_APP_UPDATE=false
  • SYFT_PARALLELISM=24

Results

Version/Description Commit Min (s) Max (s) Avg (s)
v1.19.0 - 20.12 20.90 20.39
chore(ci): fix composite GitHub action path in dependabot config (#3611) b7f78a6 20.30 20.93 20.59
chore(deps): bump actions/cache in /.github/actions/bootstrap (#3613) 1814a0a 20.05 20.67 20.43
chore(deps): bump actions/setup-go in /.github/actions/bootstrap (#3612) 2abfa4e 20.27 21.33 20.76
chore(deps): bump GitHub - moby/moby: The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems (#3610) dffa52f 20.18 20.46 20.30
chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (#3609) ad83f7c 20.30 20.84 20.54
chore(deps): bump github/codeql-action from 3.28.2 to 3.28.3 (#3608) a6d7ff6 20.24 20.65 20.42
chore(deps): update tools to latest versions (#3607) 1c4743f 19.94 20.97 20.46
chore(deps): bump anchore/sbom-action from 0.17.9 to 0.18.0 (#3619) a5a2b83 20.24 21.57 20.89
chore(deps): bump github/codeql-action from 3.28.3 to 3.28.4 (#3618) 5ea952e 20.25 20.61 20.42
chore(deps): bump github/codeql-action from 3.28.4 to 3.28.5 (#3622) 27b8296 20.13 21.05 20.53
chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.0 to 4.8.1 (#3621) 1a2a7cb 20.05 21.04 20.63
chore(deps): update CPE dictionary index (#3620) 5b009db 20.16 20.98 20.43
chore(deps): bump github/codeql-action from 3.28.5 to 3.28.6 (#3625) cc80e61 20.08 20.80 20.46
fix: update namespace value for OpenSUSE distros (#3615) 58dc43d 20.25 20.68 20.43
feat: update licenses to including license content when SPDX expressions are unable to be determined (#3366) f7e767f 20.33
21.21 20.63
chore(deps): bump github/codeql-action from 3.28.6 to 3.28.7 (#3628) 3fc0e04 20.17 21.26 20.52
chore(deps): bump GitHub - gkampitakis/go-snaps: Jest-like snapshot testing in Go 📸 from 0.5.8 to 0.5.9 (#3627) b89304d 20.14 21.69 20.62
docs: update descriptions with correct options (#3630) d5e52bc 20.21 20.41 20.29
chore(deps): bump github/codeql-action from 3.28.7 to 3.28.8 (#3634) bdf6804 20.16 21.29 20.48
chore(deps): update tools to latest versions (#3635) a16e374 20.11 20.97 20.45
feat: syft 3435 - add file components to cyclonedx bom output when file metadata is available (#3539) 9a9195e 20.33 24.00 21.21
chore(deps): update CPE dictionary index (#3638) 7a69f6f 20.24 21.02 20.60
chore(deps): update tools to latest versions (#3637) 4dc86a0 20.27 20.76 20.44
chore: replace all shorthand tags of mapstruct → mapstructure (#3633) 5e2ba43 20.25 20.64 20.40
Add file catalogers to selection configuration (#3505) 684b6e3 20.22 20.65 20.42
chore(deps): bump The Go Programming Language from 0.22.0 to 0.23.0 (#3644) 79ea956 20.33 22.01 20.73
chore(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.0 (#3642) 10ba5aa 20.23 20.81 20.39
chore(deps): update tools to latest versions (#3641) 7bab6e9 19.94 24.17 21.05
feat: 3626 add option enable license content; disable by default (#3631) e584c9f 20.34 21.39 20.83

I’ll run it again with a larger, more complex container. But it’s pretty time consuming, so you’ll have to wait a while for the result.

1 Like