syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Possiblity to run Syft on a Dockerfile

Open vargenau opened this issue 2 years ago • 6 comments

What would you like to be added:

It would be nice to be able to run Syft on a Dockerfile.

Why is this needed:

Additional context:

Tern allows this.

vargenau avatar Jun 29 '22 14:06 vargenau

@vargenau Do you know how tern accomplishes this?

joshbressers avatar Jun 30 '22 01:06 joshbressers

In case it helps, https://github.com/tern-tools/tern/blob/main/tern/analyze/default/dockerfile/run.py

But also see https://github.com/moby/buildkit/issues/2773

I would love to hear more about the use cases here. Is this something that should sit between hadolint and docker sbom? If so, why? Build tool independence? Fast inner loop? Honestly interested.

bureado avatar Jul 06 '22 02:07 bureado

@vargenau Do you know how tern accomplishes this?

I do not really know. I am testing both Syft and Tern and comparing features and results.

vargenau avatar Jul 06 '22 08:07 vargenau

In case it helps, https://github.com/tern-tools/tern/blob/main/tern/analyze/default/dockerfile/run.py

That process looks very heavy and error prone. I think it would make more sense given the state of all tooling to just build a dockerfile then scan it rather than having Syft try to untangle the layers

joshbressers avatar Jul 14 '22 13:07 joshbressers

In case it helps, https://github.com/tern-tools/tern/blob/main/tern/analyze/default/dockerfile/run.py

That process looks very heavy and error prone. I think it would make more sense given the state of all tooling to just build a dockerfile then scan it rather than having Syft try to untangle the layers

I tend to agree.

I'm still curious about the use cases but IMHO static analysis will be extremely limited for the SBOM use case, and anything related to packages/dependencies at that level can probably be handled (if it isn't already) by linters.

There's a spectrum of dynamic analysis options (like the buildkit one mentioned above, another one that comes to mind is docker-slim) that all basically involve building the image anyway at which point running syft over the built image yields the best results.

In general, I think trying to produce an SBOM from an otherwise non-annotated Dockerfile can only yield an "envelope" SBOM, e.g., reference the base file, reference it's part of a larger codebase but not actually get into component substance without dynamic introspection at which point the OCI image has already materialized somewhere syft can catalog it.

bureado avatar Jul 18 '22 20:07 bureado

Only somehow adjacent, for future reference: https://medium.com/nttlabs/buildg-ide-90cf200abe0a

(Update) And also https://github.com/docker/scan-cli-plugin#:~:text=If%20you%20want%20more%20details%2C%20you%20can%20provide%20the%20Dockerfile%20used%20to%20create%20the%20image

bureado avatar Jul 20 '22 04:07 bureado