component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

Publish container image

Open JamieMagee opened this issue 3 years ago • 2 comments

To make Component Detection easier to consume and use, we should start publishing container images.

Two open questions are:

  1. What should we use as a base image?
  2. Where should we publish our image?

1. What should we use as a base image?

For our base image, we can use a one of dotnet's runtime-deps images^1 once #37 is merged. These images don't have any dotnet runtime installed, which makes them a lot smaller than the standard runtime images.

These are currently the .NET Core 3.1 tags available:

Tags

3.1 3.1-alpine 3.1-alpine-arm64v8 3.1-alpine3.12 3.1-alpine3.12-arm64v8 3.1-alpine3.13 3.1-alpine3.13-arm64v8 3.1-alpine3.14 3.1-alpine3.14-arm64v8 3.1-bionic 3.1-bionic-arm32v7 3.1-bionic-arm64v8 3.1-bullseye-slim 3.1-bullseye-slim-arm32v7 3.1-bullseye-slim-arm64v8 3.1-buster-slim 3.1-buster-slim-arm32v7 3.1-buster-slim-arm64v8 3.1-cbl-mariner1.0 3.1-focal 3.1-focal-arm32v7 3.1-focal-arm64v8

For simplicity, we may want to use 3.1-bullseye-slim, but 3.1-cbl-mariner1.0 and 3.1-alpine3.14 may also be considered

2. Where should we publish our image?

We should push to the Microsoft Container Registry^2, but we might also want to push to the GitHub Container Registry as well.

JamieMagee avatar Jan 04 '22 01:01 JamieMagee

I'm a little unclear on how component detection will be used in this scenario. Is the expectation that:

  • Users will base their container images on the component detection image to make the tool available? Example:
FROM component-detection:latest
# do normal build stuff
RUN component-detection scan --SourceDirectory ...
  • Users will mount their intended scan directory when running the component detection container to scan? Example:
docker run --rm -v $(pwd):/scan component-detection:latest ...
  • Something else I'm not thinking about?

tevoinea avatar Jan 10 '22 16:01 tevoinea

The scenario I had in mind was your 2nd one: users will mount their scan directory in the container.

JamieMagee avatar Jan 10 '22 16:01 JamieMagee

@JamieMagee Since the detectors have dependency on various language runtimes IMHO using bullseye-slim would be much simpler as installation of these is easy. On alpine, for eg there's no way to install golang without compiling it AFAIK.

Should I make a PR with an image based on this ? It'll have all the major runtimes installed + tool ofc.

sbs2001 avatar Aug 22 '22 14:08 sbs2001

@sbs2001 I'd actually been looking at this last month but didn't open a PR for it. If I get it to PR would you be up for reviewing it? Here's what I have so far

JamieMagee avatar Aug 24 '22 19:08 JamieMagee

@JamieMagee I've posted a review comment on the PR.

sbs2001 avatar Aug 29 '22 01:08 sbs2001