apko icon indicating copy to clipboard operation
apko copied to clipboard
verified publisher icon chainguard-dev

Images produce by apko can't be scanned by Synk

Open NeilJed opened this issue 1 year ago • 2 comments

I've been building some base images wit apko but when attempting to scan them locally or remotely with Snyk I'm presented with the error "Invalid OCI Image". I get similar issues when trying to scan them from a remote repository.

Having done some digging, I see that this issue also exists with Kaniko as detailed in this issue here: https://github.com/GoogleContainerTools/kaniko/issues/1976

As noted in the thread, apko uses the same tar.gz + sha: prefix naming convention as Kaniko which Snyk (and other tools) can't seem to handle:

tar xvf out.tar.gz -C apko/
x sha256:c1430763aaa262e6080a79aa7898e0872eb4f98582d2588abfc001a3e7ea4b2c
x 86fba8ea54b9cf5891dc96f353048e564df6398ac6d5ad51b4830d65878958ea.tar.gz
x sha256:d60dcde6334380312a0442ae7751edb20847768211f02a6e11502e59839ddd36
x 8892bfbbf1e1c5d481d7f4659e30fa4613acdbc1e4592549f98e9ffc871bf41d.tar.gz
x manifest.json
x sha256:69929f308833e75856197e7ebf8cbdad9e23ced1e98c1815fc1317a206c952b2
x sha256:3e1f32ed6a56b71f3e52d1409b64fcd42eb9257016aa9613516895161f557eaa
x index.json

However, scanning with Docker Scout works fine.

Really I guess this is more of an issue with Snyk but is this something that could be done in apko via some sort of --legacy flag to us a more compatible naming convention?

NeilJed avatar Aug 14 '24 15:08 NeilJed

Closing as after talking to Snyk it was an issue with them.

NeilJed avatar Aug 22 '24 11:08 NeilJed

@NeilJed any resolution with Snyk?

uncledru avatar Aug 28 '24 22:08 uncledru

@NeilJed Can you close this issue (properly)?

sanmai-NL avatar Mar 01 '25 22:03 sanmai-NL