syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

docker-archive: support scanning a single image inside the archive

Open bcmedeiros opened this issue 2 years ago • 1 comments

With docker, we can save multiple images inside the same archive:

docker save img1:latest image2:latest > archive.tar

Currently, if an archive is generated like that, we get the following error:

unable to use DockerTarball source: cannot process multiple docker manifests

It would be awesome to be able to use those archives with a syntax like:

sync sbom -i docker-archive:archive.tar/img1:latest

bcmedeiros avatar Jun 21 '22 10:06 bcmedeiros

Syft / stereoscope uses GGCR for this functionality, so we wouldn't be able to easily fix this behavior internally yet.

Code:

  • https://github.com/google/go-containerregistry/blob/c90c44474acce673c0719a67e0f45a85f3dff157/pkg/v1/tarball/image.go#L137-L141
  • https://github.com/anchore/stereoscope/blob/25ebd49a842b5ac0a20c2e2b4b81335b64ad248c/pkg/image/docker/tarball_provider.go#L36

Related issues:

  • https://github.com/google/go-containerregistry/issues/1109
  • https://github.com/google/go-containerregistry/issues/651

wagoodman avatar Sep 15 '22 20:09 wagoodman