SBOM scan

[origooo]

Hi,

I'm fairly new to the concept of distroless images and I cannot seem to understand the following: How would one go about to do an SBOM scan with e.g. anchore/syft?

[astefanutti]

That's a good question. We would have to check how these tools analyse the container images, but in case of scratch-node used as a base image, the SBOM would be that of the packaged Node app, and I imagine it'd be technically possible to generate the SBOM from it.

[origooo]

Thanks for the quick reply. I found out a few things and I'll try to summarise them here. Ask me to clarify if needed, because this issue kinda changed direction.

First off, I started testing both anchore/syft and anchore/grype today.

In short, syft can be used to generate an SBOM file which can be fed into grype. This step is not really necessary since grype also uses syft to create an SBOM file prior to performing a vulnerability scan. Unless my image's/application's dependency tree change, that step can be sped up by feeding an SBOM file instead of having grype recreate it.

So the SBOM file will indeed include the packages I've installed. Both syft and grype catches the same packages so all seem to be fine.

A more accurate question with this in mind, would be if, and how, we can get syft and grype to pick up the binaries contained within the scratch image?

Correct me if I'm wrong, but these binaries are

bin/node
dev/console
etc/hostname
etc/hosts

[astefanutti]

Yes, the main binary is bin/node which is a static build of Node.js. I'd be curious to know how these tools handle base Node.js images. Maybe it could be applicable to scratch-node as well.