DevSecOps in Practice

Using Syft for Docker Image Analysis

There are many tools to generate SBOMs depending on the type of software being analyzed. Many of these tools can be found in the tool centers of SPDX and CycloneDX. Since our deployment is mainly based on Docker images, we will focus on using Syft.

Syft is a CLI tool and library for generating an SBOM from container images and filesystems. It supports multiple formats, including SPDX and CycloneDX, and it works with grype, a vulnerability scanner by the same team (Anchore). Let's see how we can use Syft to analyze a Docker image.

Start by installing Syft using the following command:

curl -sSfL \
    https://raw.githubusercontent.com/anchore/syft/main/install.sh | \
    sh -s -- -b /usr/local/bin

To generate an SBOM for a container image, the basic command is:

syft 

Here’s what happens when you run this command:

• Syft scans the container image to identify all installed software packages.
• It creates a structured list of these components, including package names, versions, and sources.
• The output format can be JSON, SPDX, or CycloneDX, making it easy to integrate with security tools.

Here is an example with our image (registry.gitlab.com/restqr/restqr/menu-service:v0.1.0):

syft registry.gitlab.com/restqr/restqr/menu-service:v0.1.0

You should see a list of components and their versions of types. We can distinguish different types of components such as:

• deb: Debian packages
• rpm: Red Hat packages
• gem: Ruby gems
• npm: Node.js packages
• python: Python packages
• binary: Binary files
• and so on

Example of an output:

NAME                    VERSION                TYPE                    
[...]