In this episode we will take a look on open source tool from Anchore. In fact, we will check two tools, one for SBOM generation and second for containers vulnerability scans. Let's get started!
By the way, I love their logos, I want them as the stickers on my laptop! :)
Syft is a SBOM generation tool, which works in CLI. And from DevOps perspective this is great!
Grype is a vulnerability scanner, also for CLI use.
Syft and Grype are dedicated to scan containers.
Another great news. Both tools can be installed on multiple systems using installers like brew, choco, etc. This is amazing. I'll use Ubuntu installed in WSL2. Yes, I can install it directly in Windows, but I want to see them in action on Linux.
Let's install both these tools
$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin $ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
Yes, security, I know :) We shouldn't do it in this way, however, for now it is ok. These commands are in documentation of both tools.
Ok, we can try to generate some SBOMs now!
Syft by default generate data from the final layer of image only. That is not enough for proper scan, but to enable scan through all layers we can use one argument. So, I will use only that option in next examples.
I will scan four images
Syft can produce SBOM in different formats. I'll use CDX in JSON format. The tool can pull images from registry, use podman or docker, etc.
$ syft bitnami/phpbb --scope all-layers -o cyclonedx-json=sbom-phpbb.json $ syft python --scope all-layers -o cyclonedx-json=sbom-python.json $ syft nginx --scope all-layers -o cyclonedx-json=sbom-nginx.json $ syft postgres --scope all-layers -o cyclonedx-json=sbom-postgres.json
With multiple use of
-o argument we can create multiple output files in one run. Splendid. The runtime is really nicely presented in the CLI. I love the pulling image progress visualisation :)
Syft can do more than just that. But it is enough at the moment.
Grype creates an analysis of vulnerabilities in the container. We can provide the container itself (we will do it for two of them) or it can work on SBOMs generated by Syft - this will be the third run).
$ grype bitnami/phpbb --scope AllLayers -o cyclonedx --file vuln-sbom-phpbb.xml $ grype python --scope AllLayers -o cyclonedx --file vuln-sbom-python.xml $ grype sbom:sbom-nginx.json -o cyclonedx --file vuln-sbom-nginx.xml
As we can see, the vulnerability report is generated much faster from SBOM. It is obvious, all data is already extracted.
Last option is the most fun. Let's connect Syft and Grype together!
$ syft postgres --scope all-layers -o cyclonedx-json | grype -o cyclonedx --file vuln-sbom-postgres.xml
Another very useful and ready to be used in pipelines feature is fail on selected severity of the vulnerability.
$ grype sbom:sbom-nginx.json -o cyclonedx --file vuln-sbom-nginx1.xml -f high
-f high I want to fail if grype finds any issue with high or critical severity.
✔ Vulnerability DB [no update available] ✔ Scanned image [143 vulnerabilities] Report written to "vuln-sbom-nginx1.xml" 1 error occurred: * discovered vulnerabilities at or above the severity threshold
And exit code of the runtime is
1. Really, nothing more is needed for CI/CD pipelines!
I have only one thing, which I want to emphasize. As these tools are created kind of together and can work together, it will be nice to unify the agruments. Example:
--scope all-layers vs
--scope AllLayers. Small thing, though.
I like these tools very much. These two are my favourites so far. The use scope is somehow limited, but that's ok. I truly recommend these two to implement in your pipelines!