{"id":368935,"date":"2021-11-18T15:00:42","date_gmt":"2021-11-18T12:00:42","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/"},"modified":"2021-11-18T15:00:42","modified_gmt":"2021-11-18T12:00:42","slug":"how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/","title":{"rendered":"#How to Index Your Docker Image\u2019s Dependencies With Syft \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a30c0f00bbf4\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a30c0f00bbf4\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/#Installing_Syft\" >Installing Syft<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/#Scanning_an_Image\" >Scanning an Image<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/#Supported_Package_Types\" >Supported Package Types<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/#Changing_the_Output_Format\" >Changing the Output Format<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/#Using_Other_Image_Sources\" >Using Other Image Sources<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-index-your-docker-images-dependencies-with-syft-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Index Your Docker Image\u2019s Dependencies With Syft \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-14681\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/c366aa0b.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/c366aa0b.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/c366aa0b.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Illustration showing the Syft mascot\" width=\"1202\" height=\"677\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Syft is a CLI utility that generates a Software Bill of Materials (SBOM) for container images. An SBOM is a catalogue of dependencies used by your image. It gives you visibility into the \u201cmaterials\u201d that form your image\u2019s filesystem.<\/p>\n<p>Producing an SBOM can help you identify overly complex package supply chains that put you at risk of dependency confusion attacks. Distributing an SBOM alongside your image informs users of what lies below the surface. This provides a useful starting point when tightening supply chain security.<\/p>\n<p>Syft is developed by Anchore which also offers a complete container scanning engine. The Syft CLI is capable of extracting package lists from images using popular operating systems and programming languages. Both Docker and OCI images are supported.<\/p>\n<h2 id=\"installing-syft\"><span class=\"ez-toc-section\" id=\"Installing_Syft\"><\/span>Installing Syft<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>An installation script is available to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> the latest Syft binary and add it to your path:<\/p>\n<pre><code>curl -sSfL https:\/\/raw.githubusercontent.com\/anchore\/syft\/main\/install.sh | sh -s -- -b \/usr\/local\/bin<\/code><\/pre>\n<p>Mac users can also get Syft from Homebrew by adding the <code>anchore\/syft<\/code> repository and installing the <code>syft<\/code> package.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14682\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/f15ef29f.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"950\" height=\"468\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Once you\u2019ve got Syft on your system, run <code>syft<\/code> in your terminal to display the available commands. You can generate completions for your shell by running <code>syft completion<\/code>.<\/p>\n<p>Use <code>syft version<\/code> to find your installation\u2019s version. Check the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/anchore\/syft\/releases\">GitHub tags page<\/a> periodically to find new releases, then reuse the installation script to download each update.<\/p>\n<h2 id=\"scanning-an-image\"><span class=\"ez-toc-section\" id=\"Scanning_an_Image\"><\/span>Scanning an Image<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Syft\u2019s functionality is currently exposed by a single sub-command, <code>syft packages<\/code>. Pass it an image tag to generate an SBOM for:<\/p>\n<pre><code>syft packages alpine:latest<\/code><\/pre>\n<p>Syft will download the image, scan its contents, and produce a catalogue of discovered packages. The output will be shown as a table in your terminal. Each result includes the detected package name, version, and type.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14683\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/943cbb69.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"960\" height=\"548\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The package list for this image is short. As it\u2019s an Alpine base image, the installed packages are intentionally streamlined to provide the smallest possible surface. Larger images could contain hundreds or thousands of packages across several different formats. It can be helpful to combine Syft with existing Unix terminal tools like <code>grep<\/code> and <code>awk<\/code> to extract the data you\u2019re looking for.<\/p>\n<pre><code>syft packages example-image:latest | grep example-package-to-find<\/code><\/pre>\n<h2 id=\"supported-package-types\"><span class=\"ez-toc-section\" id=\"Supported_Package_Types\"><\/span>Supported Package Types<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Syft supports many popular package formats across the leading operating systems and programming languages. The list includes:<\/p>\n<ul>\n<li><code>APK<\/code> (Alpine), <code>DEB<\/code> (Debian), and <code>RPM<\/code> (Fedora) OS packages.<\/li>\n<li>Identification of Linux distributions across Alpine, CentOS, Debian, and RHEL favors.<\/li>\n<li>Go modules<\/li>\n<li>Java in<code>JAR<\/code>, <code>EAR<\/code>, and <code>WAR<\/code>variations<\/li>\n<li>NPM and Yarn packages<\/li>\n<li>Python Wheels and Eggs<\/li>\n<li>Ruby bundles<\/li>\n<\/ul>\n<p>Although not every language is covered, you\u2019ll still benefit from the OS-level scanning irrespective of your application\u2019s chosen stack.<\/p>\n<h2 id=\"changing-the-output-format\"><span class=\"ez-toc-section\" id=\"Changing_the_Output_Format\"><\/span>Changing the Output Format<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The default output format is called <code>table<\/code>. It renders a columnar-based table of results in your terminal, creating a new row for each detected package. An alternative human-readable format is <code>text<\/code> which presents a list of packages with <code>Version<\/code> and <code>Type<\/code> fields nested under each section.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14684\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/02b6d378.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"960\" height=\"548\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Syft supports several programmatic formats too:<\/p>\n<ul>\n<li><code>json<\/code> \u2013 Save package data to a JSON structure.<\/li>\n<li><code>cyclonedx<\/code> \u2013 A <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/cyclonedx.org\/specification\/overview\">CycloneDX report<\/a> in XML format.<\/li>\n<li><code>spdx<\/code> and <code>spdx-json<\/code> \u2013 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/spdx.github.io\/spdx-spec\">SPDX-compatible<\/a> reports in either tag-value or JSON format.<\/li>\n<\/ul>\n<p>Using one of these reports lets you archive findings to a file for later reference:<\/p>\n<pre><code>syft packages alpine:latest -o json &gt; alpine-packages.json<\/code><\/pre>\n<p>The standardized CycloneDX and SPDX formats can help integrate Syft scans into your CI\/CD pipelines. The data is accessible to other ecosystem tools that work with package lists and SBOM results.<\/p>\n<p>Syft also integrates with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/anchore\/grype\">Grype<\/a>, Anchore\u2019s standalone container filesystem vulnerability finder. Data from Syft can be fed straight into Grype if you use the JSON output format.<\/p>\n<pre><code>syft packages example-image:latest -o json &gt; sbom.json&#13;\ngrype sbom:.\/sbom.json<\/code><\/pre>\n<p>Grype will compare the package list to its index of known vulnerabilities. It\u2019ll highlight the packages which contain problems, giving you an im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te starting point to improve your security posture.<\/p>\n<h2 id=\"using-other-image-sources\"><span class=\"ez-toc-section\" id=\"Using_Other_Image_Sources\"><\/span>Using Other Image Sources<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Syft can use images from other sources besides public Docker registries. You can reference any OCI-compliant image, either via a registry tag or as a saved image tar. Paths to image archives can be handed straight to Syft:<\/p>\n<pre><code>docker image save my-image:latest &gt; my-image.tar&#13;\nsyft packages .\/my-image.tar<\/code><\/pre>\n<p>Syft works with private Docker registries too. It uses your existing credentials in your <code>~\/.docker\/config.json<\/code> file:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"json\">\n<pre class=\"de1\">{&#13;\n    \"auths\": {&#13;\n        \"registry.example.com\": {&#13;\n            \"username\": \"\",&#13;\n            \"password\": \"\"&#13;\n        }&#13;\n    }&#13;\n}<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Although Syft focuses on container image scans, it can also create an SBOM for arbitrary filesystem paths. You can use Syft to index your host\u2019s packages by scanning directories that commonly contain software binaries and libraries:<\/p>\n<pre><code>syft packages dir:\/usr\/bin<\/code><\/pre>\n<p>You must explicitly add the <code>dir:<\/code> scheme if you\u2019re referencing a path outside your working directory. Otherwise Syft will try to interpret it as an image tag reference.<\/p>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Syft extracts package lists from your container images. The generated data acts as an SBOM for your image, increasing your awareness of your supply chain length.<\/p>\n<p>Syft is distributed as a single binary that produces reports in several different formats. It can be readily integrated into CI\/CD systems to upload an SBOM artifact as part of your image build pipeline. This increases accountability and aids audit trails by recording each image\u2019s full software list at the time it\u2019s produced.<\/p>\n<p>Adding Syft scans to your workflow keeps you informed of the packages you\u2019re using. Once you\u2019ve got this information, you can begin assessing each package to determine whether it\u2019s really needed. If you find a lot of packages that aren\u2019t used by your workload, consider switching to a minimal base image and layering only essential software on top.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14680\/how-to-index-your-docker-images-dependencies-with-syft\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Index Your Docker Image\u2019s Dependencies With Syft \u2013 CloudSavvy IT&#8221; Syft is a CLI utility that generates a Software Bill of Materials (SBOM) for container images. An SBOM is a catalogue of dependencies used by your image. It gives you visibility into the \u201cmaterials\u201d that form your image\u2019s filesystem. Producing an SBOM can&#8230;<\/p>\n","protected":false},"author":1,"featured_media":368936,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/11\/c366aa0b.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-368935","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/368935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=368935"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/368935\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/368936"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=368935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=368935"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=368935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}