-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grype only supports SKOPEO when using 'docker-archive' format. #2051
Comments
Hi @SDDunt, Thanks for the issue and the detailed steps to reproduce. The docs specifically say that they support image archives as a result of skopeo copy:
We also support scanning a directory. However, if you look at the result of copying a docker image to a directory via skopeo, skopeo has just unpacked the OCI format, rather than inflated the filesystem:
As you can see, there aren't any packages or anything in that directory, just OCI image internals. Syft and Grype, when scanning a directory, are not expecting an untarred OCI image and so don't find anything. If you want to scan archived images with Syft or Grype, please use Is there a specific use case you had in mind? I am not sure of a reason it would be preferable to skopeo copy to a directory rather than a docker archive, but maybe I'm missing something. |
Thanks for the explanation. We have no particular reason for using skopeo copy (without the docker-archive). We just got started that way. We're changing our process to use the docker-archive so we can run grype against the backup copies. (we are trying to reduce how many times we are pulling data out of AWS and S3) Is it possible that the docs be updated to specify |
We do support OCI dir layouts out of the box too:
Ideally we should make an update where |
Marking as ready and adding some notes. There are 2 changes we want to make:
|
What happened:
Since the documentation: https://github.com/anchore/grype#supported-sources says: "or
skopeo copy
commands)" I tried to scan backup copies of our docker images and grype does not seem to scan the directories.. It reports NO package, NO executable and NO vulnerabilities:To simplify I used an off the shelf busybox image:
When I scan that, grype does NOT find any packages or any issues:
IF I use skopeo and export as a 'docker-archive:
Either your docs need to be more explicit.. Or I'd prefer that grype also supposed the dir: version of the skopeo copy command.
What you expected to happen:
When I scan the same image directly from docker I get packages, and executables, and vulnerabilities ..
How to reproduce it (as minimally and precisely as possible):
See steps above.
Please also include the grype command and any configuration used.
No grype config changes made after I installed it via:
Environment:
Ubuntu 22.04, on intel - amd64
Output of
grype version
:grype --version
grype 0.79.6
OS (e.g:
cat /etc/os-release
or similar):Ubuntu 22.04, on intel - amd64
The text was updated successfully, but these errors were encountered: