[ECR] [feature request]: Inspector support for scan of SIF images

[nrcfieldsa]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Basic and enhanced scanning support for SIF container images.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
ECR should support scanning of SIF format container images stored in a repository.
Presently, ECR gives message Scan status: UNSUPPORTED_IMAGE.

The impact of not having this feature added is that environments with singularity containers will not be able to scan their containers stored in ECR for vulnerabilities.

Are you currently working around this issue?
No. It is not currently possible for singularity (apptainer) release to push to ECR using docker:// transport. It is possible for singularity (apptainer) to pull a container from registries using docker protocol, such as public registry.

It is currently possible to push images to ECR in SIF format using oras:// transport protocol. The singularity command line can then pull these containers stored in ECR. That much is working correctly in ECR with OCI artifacts that match singularity images; when the same runtime is used to both push and pull through ORAS/OCI.

It is currently possible to push images to ECR in docker format and enhanced scanning will work. It is possible to first convert a singularity image to a docker image, and then push it with any container tools which support docker images such as docker or podman container run-time cli.

The reason this feature request should be voted for is because apptainer (singularity) containers are now becoming more common on Linux HPC clusters and having to convert between image formats in order to push to ECR for enhanced scanning to work, is problematic for users.

Additional context
The singularity image format (SIF) uses ORAS to push containers to ECR and stores the file system layers as OCI artifacts of type: application/vnd.sylabs.sif.layer.v1.sif.

• https://github.com/opencontainers/artifacts/blob/main/artifact-authors.md#defining-layermediatypes
• Apptainer: The Singularity Image Format (SIF) (GitHub)

SIF layers typically use squashfs compressed file system. However, SIF layers may also include overlays and use extfs in older .simg container images. Ideally, those additional layers could be included during scan.

• docs: Add clair-singularity to integrations.md quay/clair#475:
  • clair-singularity allows clair server to scan singularity format, by first exporting layers as tar.gz. Have not tested this integration.
• https://github.com/singularityhub/stools:
  • docker-compose.yml starts clair-scanner in order to scan SIF images using sclair command.

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)