Possiblity to run Syft on a Dockerfile #1074
Comments
|
@vargenau Do you know how tern accomplishes this? |
|
In case it helps, https://github.com/tern-tools/tern/blob/main/tern/analyze/default/dockerfile/run.py But also see moby/buildkit#2773 I would love to hear more about the use cases here. Is this something that should sit between |
I do not really know. I am testing both Syft and Tern and comparing features and results. |
That process looks very heavy and error prone. I think it would make more sense given the state of all tooling to just build a dockerfile then scan it rather than having Syft try to untangle the layers |
I tend to agree. I'm still curious about the use cases but IMHO static analysis will be extremely limited for the SBOM use case, and anything related to packages/dependencies at that level can probably be handled (if it isn't already) by linters. There's a spectrum of dynamic analysis options (like the In general, I think trying to produce an SBOM from an otherwise non-annotated Dockerfile can only yield an "envelope" SBOM, e.g., reference the base file, reference it's part of a larger codebase but not actually get into component substance without dynamic introspection at which point the OCI image has already materialized somewhere |
|
Only somehow adjacent, for future reference: https://medium.com/nttlabs/buildg-ide-90cf200abe0a (Update) And also https://github.com/docker/scan-cli-plugin#:~:text=If%20you%20want%20more%20details%2C%20you%20can%20provide%20the%20Dockerfile%20used%20to%20create%20the%20image |
What would you like to be added:
It would be nice to be able to run Syft on a Dockerfile.
Why is this needed:
Additional context:
Tern allows this.
The text was updated successfully, but these errors were encountered: