You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
which would scan alpine:latestwithout having it running as a container.
Context
For security scanning purposes, it's desirable to not have to start the image.
Some images don't have /bin/sh or /bin/cat or really anything else in them (the chef/inspec image is an example of such a "distroless" image). Scanning such images is currently difficult and a strategy unique to that image must be found. If the image didn't have to be running as a container in order to be scanned, image scanning could be done more generically.
Detailed Description
Currently, to scan a docker image, container for that image must be running.
For example, to scan
alpine:latest
:It would be great to be able to run something like this:
inspec exec linux-baseline/ -t docker://alpine:latest
which would scan
alpine:latest
without having it running as a container.Context
For security scanning purposes, it's desirable to not have to start the image.
Some images don't have
/bin/sh
or/bin/cat
or really anything else in them (thechef/inspec
image is an example of such a "distroless" image). Scanning such images is currently difficult and a strategy unique to that image must be found. If the image didn't have to be running as a container in order to be scanned, image scanning could be done more generically.Possible Implementation
OpenSCAP has this capability. The approach it takes is to extract the image to a directory then scan that directory. The implementation for docker (which also works for podman via the docker API) can be found at https://github.com/OpenSCAP/openscap/blob/maint-1.3/utils/oscap-docker.in However, it's written in python which is a bit more challenging to follow than the podman specific implementation at https://github.com/OpenSCAP/openscap/blob/maint-1.3/utils/oscap-podman which implements the same approach in shell.
The text was updated successfully, but these errors were encountered: