oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Harden Container Runtime with Non-Root User (#3941)

Browse Source 
* Update Dockerfile

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update Dockerfile

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update validations.yaml

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update validations.yaml

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update Dockerfile

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update validations.yaml

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update Dockerfile

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update .goreleaser.yaml

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* Update .goreleaser.yaml

Signed-off-by: Michael Briley <michael.briley937@gmail.com>

* use distroless/static-debian12:nonroot directly

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* keep manual manifest curation

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove qemu usage

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add smoke test for snapshot

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* split up manifests section with comments

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* correct ci step name

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix arch condition

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* keep path prefix

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Michael Briley <michael.briley937@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Michael Briley 2025-06-05 10:36:23 -06:00 committed by GitHub
parent bd894b9c4d
commit 868a6a7584
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 124 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/validations.yaml vendored
View File

@ -76,6 +76,9 @@ jobs:
- name: Build snapshot artifacts - name: Build snapshot artifacts
run: make snapshot run: make snapshot
- name: Smoke test snapshot build
run: make snapshot-smoke-test
# why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach). # why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
# see https://github.com/actions/upload-artifact/issues/199 for more info # see https://github.com/actions/upload-artifact/issues/199 for more info
- name: Upload snapshot artifacts - name: Upload snapshot artifacts

211
.goreleaser.yaml
View File

@ -1,11 +1,11 @@
version: 2 version: 2
project_name: syft
release: release:
prerelease: auto prerelease: auto
draft: false draft: false
env: env:
# required to support multi architecture docker builds
- DOCKER_CLI_EXPERIMENTAL=enabled - DOCKER_CLI_EXPERIMENTAL=enabled
- CGO_ENABLED=0 - CGO_ENABLED=0
@ -13,14 +13,8 @@ builds:
- id: linux-build - id: linux-build
dir: ./cmd/syft dir: ./cmd/syft
binary: syft binary: syft
goos: goos: [linux]
- linux goarch: [amd64, arm64, ppc64le, s390x]
goarch:
- amd64
- arm64
- ppc64le
- s390x
# set the modified timestamp on the output binary to the git timestamp to ensure a reproducible build
mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}' mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
ldflags: &build-ldflags | ldflags: &build-ldflags |
-w -w
@ -34,11 +28,8 @@ builds:
- id: darwin-build - id: darwin-build
dir: ./cmd/syft dir: ./cmd/syft
binary: syft binary: syft
goos: goos: [darwin]
- darwin goarch: [amd64, arm64]
goarch:
- amd64
- arm64
mod_timestamp: *build-timestamp mod_timestamp: *build-timestamp
ldflags: *build-ldflags ldflags: *build-ldflags
hooks: hooks:
@ -50,115 +41,42 @@ builds:
- id: windows-build - id: windows-build
dir: ./cmd/syft dir: ./cmd/syft
binary: syft binary: syft
goos: goos: [windows]
- windows goarch: [amd64]
goarch:
- amd64
mod_timestamp: *build-timestamp mod_timestamp: *build-timestamp
ldflags: *build-ldflags ldflags: *build-ldflags
archives: archives:
- id: linux-archives - id: linux-archives
builds: builds: [linux-build]
- linux-build
# note: the signing process is depending on tar.gz archives. If this format changes then .github/scripts/apple-signing/*.sh will need to be adjusted
- id: darwin-archives - id: darwin-archives
builds: builds: [darwin-build]
- darwin-build
- id: windows-archives - id: windows-archives
format: zip format: zip
builds: builds: [windows-build]
- windows-build
nfpms: nfpms:
- license: "Apache 2.0" - license: "Apache 2.0"
maintainer: "Anchore, Inc" maintainer: "Anchore, Inc"
homepage: &website "https://github.com/anchore/syft" homepage: &website "https://github.com/anchore/syft"
description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems" description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
formats: formats: [rpm, deb]
- rpm
- deb
brews: brews:
- repository: - repository:
owner: anchore owner: anchore
name: homebrew-syft name: homebrew-syft
token: "{{.Env.GITHUB_BREW_TOKEN}}" token: "{{.Env.GITHUB_BREW_TOKEN}}"
ids: ids: [darwin-archives, linux-archives]
- darwin-archives
- linux-archives
homepage: *website homepage: *website
description: *description description: *description
license: "Apache License 2.0" license: "Apache License 2.0"
dockers: dockers:
# production images...
- image_templates: - image_templates:
- anchore/syft:debug - anchore/syft:{{.Tag}}-amd64
- anchore/syft:{{.Tag}}-debug - ghcr.io/anchore/syft:{{.Tag}}-amd64
- ghcr.io/anchore/syft:debug
- ghcr.io/anchore/syft:{{.Tag}}-debug
goarch: amd64
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/amd64"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:debug-arm64v8
- anchore/syft:{{.Tag}}-debug-arm64v8
- ghcr.io/anchore/syft:debug-arm64v8
- ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
goarch: arm64
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/arm64/v8"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:debug-ppc64le
- anchore/syft:{{.Tag}}-debug-ppc64le
- ghcr.io/anchore/syft:debug-ppc64le
- ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
goarch: ppc64le
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/ppc64le"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:debug-s390x
- anchore/syft:{{.Tag}}-debug-s390x
- ghcr.io/anchore/syft:debug-s390x
- ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
goarch: s390x
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/s390x"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:latest
- anchore/syft:{{.Tag}}
- ghcr.io/anchore/syft:latest
- ghcr.io/anchore/syft:{{.Tag}}
goarch: amd64 goarch: amd64
dockerfile: Dockerfile dockerfile: Dockerfile
use: buildx use: buildx
@ -208,51 +126,120 @@ dockers:
- "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}" - "--build-arg=VCS_URL={{.GitURL}}"
# debug images...
- image_templates:
- anchore/syft:{{.Tag}}-debug-amd64
- ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
goarch: amd64
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/amd64"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:{{.Tag}}-debug-arm64v8
- ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
goarch: arm64
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/arm64/v8"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:{{.Tag}}-debug-ppc64le
- ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
goarch: ppc64le
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/ppc64le"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
- image_templates:
- anchore/syft:{{.Tag}}-debug-s390x
- ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
goarch: s390x
dockerfile: Dockerfile.debug
use: buildx
build_flag_templates:
- "--platform=linux/s390x"
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
docker_manifests: docker_manifests:
# anchore/syft manifests...
- name_template: anchore/syft:latest - name_template: anchore/syft:latest
image_templates: image_templates:
- anchore/syft:{{.Tag}} - anchore/syft:{{.Tag}}-amd64
- anchore/syft:{{.Tag}}-arm64v8
- anchore/syft:{{.Tag}}-ppc64le
- anchore/syft:{{.Tag}}-s390x
- name_template: anchore/syft:{{.Tag}}
image_templates:
- anchore/syft:{{.Tag}}-amd64
- anchore/syft:{{.Tag}}-arm64v8 - anchore/syft:{{.Tag}}-arm64v8
- anchore/syft:{{.Tag}}-ppc64le - anchore/syft:{{.Tag}}-ppc64le
- anchore/syft:{{.Tag}}-s390x - anchore/syft:{{.Tag}}-s390x
- name_template: anchore/syft:debug - name_template: anchore/syft:debug
- anchore/syft:{{.Tag}}-debug image_templates:
- anchore/syft:{{.Tag}}-debug-amd64
- anchore/syft:{{.Tag}}-debug-arm64v8 - anchore/syft:{{.Tag}}-debug-arm64v8
- anchore/syft:{{.Tag}}-debug-ppc64le - anchore/syft:{{.Tag}}-debug-ppc64le
- anchore/syft:{{.Tag}}-debug-s390x - anchore/syft:{{.Tag}}-debug-s390x
- name_template: anchore/syft:{{.Tag}} - name_template: anchore/syft:{{.Tag}}-debug
image_templates: image_templates:
- anchore/syft:{{.Tag}} - anchore/syft:{{.Tag}}-debug-amd64
- anchore/syft:{{.Tag}}-arm64v8 - anchore/syft:{{.Tag}}-debug-arm64v8
- anchore/syft:{{.Tag}}-ppc64le - anchore/syft:{{.Tag}}-debug-ppc64le
- anchore/syft:{{.Tag}}-s390x - anchore/syft:{{.Tag}}-debug-s390x
# ghcr.io/anchore/syft manifests...
- name_template: ghcr.io/anchore/syft:latest - name_template: ghcr.io/anchore/syft:latest
image_templates: image_templates:
- ghcr.io/anchore/syft:{{.Tag}} - ghcr.io/anchore/syft:{{.Tag}}-amd64
- ghcr.io/anchore/syft:{{.Tag}}-arm64v8
- ghcr.io/anchore/syft:{{.Tag}}-ppc64le
- ghcr.io/anchore/syft:{{.Tag}}-s390x
- name_template: ghcr.io/anchore/syft:{{.Tag}}
image_templates:
- ghcr.io/anchore/syft:{{.Tag}}-amd64
- ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
- ghcr.io/anchore/syft:{{.Tag}}-ppc64le - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
- ghcr.io/anchore/syft:{{.Tag}}-s390x - ghcr.io/anchore/syft:{{.Tag}}-s390x
- name_template: ghcr.io/anchore/syft:debug - name_template: ghcr.io/anchore/syft:debug
image_templates: image_templates:
- ghcr.io/anchore/syft:{{.Tag}}-debug - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
- ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
- ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
- ghcr.io/anchore/syft:{{.Tag}}-debug-s390x - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
- name_template: ghcr.io/anchore/syft:{{.Tag}} - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug
image_templates: image_templates:
- ghcr.io/anchore/syft:{{.Tag}} - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
- ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
- ghcr.io/anchore/syft:{{.Tag}}-ppc64le - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
- ghcr.io/anchore/syft:{{.Tag}}-s390x - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
sboms: sboms:
- artifacts: archive - artifacts: archive
# this is relative to the snapshot/dist directory, not the root of the repo
cmd: ../.tool/syft cmd: ../.tool/syft
documents: documents:
- "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom" - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom"

8
Dockerfile
View File

@ -1,14 +1,12 @@
FROM gcr.io/distroless/static-debian12:latest AS build FROM gcr.io/distroless/static-debian12:nonroot
FROM scratch
# needed for version check HTTPS request
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# create the /tmp dir, which is needed for image content cache # create the /tmp dir, which is needed for image content cache
WORKDIR /tmp WORKDIR /tmp
COPY syft / COPY syft /
USER nonroot
ARG BUILD_DATE ARG BUILD_DATE
ARG BUILD_VERSION ARG BUILD_VERSION
ARG VCS_REF ARG VCS_REF

4
Dockerfile.debug
View File

@ -1,10 +1,12 @@
FROM gcr.io/distroless/static-debian12:debug FROM gcr.io/distroless/static-debian12:debug-nonroot
# create the /tmp dir, which is needed for image content cache # create the /tmp dir, which is needed for image content cache
WORKDIR /tmp WORKDIR /tmp
COPY syft / COPY syft /
USER nonroot
ARG BUILD_DATE ARG BUILD_DATE
ARG BUILD_VERSION ARG BUILD_VERSION
ARG VCS_REF ARG VCS_REF

21
Taskfile.yaml
View File

@ -27,10 +27,12 @@ vars:
sh: uname -s | tr '[:upper:]' '[:lower:]' sh: uname -s | tr '[:upper:]' '[:lower:]'
ARCH: ARCH:
sh: | sh: |
[ "$(uname -m)" = "x86_64" ] && echo "amd64_v1" || { [ "$(uname -m)" = "aarch64" ] && echo "arm64_v8.0" || echo $(uname -m); } [ "$(uname -m)" = "x86_64" ] && echo "amd64_v1" || { [ "$(uname -m)" = "aarch64" ] && echo "arm64_v8.0" || [ "$(uname -m)" = "arm64" ] && echo "arm64_v8.0" || echo $(uname -m); }
PROJECT_ROOT: PROJECT_ROOT:
sh: echo $PWD sh: echo $PWD
# note: the snapshot dir must be a relative path starting with ./ # note: the snapshot dir must be a relative path starting with ./
# e.g. when installing snapshot debs from a local path, ./ forces the deb to be installed in the current working directory instead of referencing a package name
SNAPSHOT_DIR: ./snapshot SNAPSHOT_DIR: ./snapshot
SNAPSHOT_BIN: "{{ .PROJECT_ROOT }}/{{ .SNAPSHOT_DIR }}/{{ .OS }}-build_{{ .OS }}_{{ .ARCH }}/{{ .PROJECT }}" SNAPSHOT_BIN: "{{ .PROJECT_ROOT }}/{{ .SNAPSHOT_DIR }}/{{ .OS }}-build_{{ .OS }}_{{ .ARCH }}/{{ .PROJECT }}"
SNAPSHOT_CMD: "{{ .TOOL_DIR }}/goreleaser release --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --skip=publish --skip=sign" SNAPSHOT_CMD: "{{ .TOOL_DIR }}/goreleaser release --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --skip=publish --skip=sign"
@ -230,10 +232,7 @@ tasks:
cli: cli:
desc: Run CLI tests desc: Run CLI tests
# note: we don't want to regenerate the snapshot unless we have to. In CI it's probable deps: [tools]
# that the cache being restored with the correct binary will be rebuilt since the timestamps
# and local checksums will not line up.
deps: [tools, snapshot]
cmds: cmds:
- cmd: "echo 'testing binary: {{ .SNAPSHOT_BIN }}'" - cmd: "echo 'testing binary: {{ .SNAPSHOT_BIN }}'"
silent: true silent: true
@ -573,6 +572,18 @@ tasks:
- "{{ .SNAPSHOT_CMD }}" - "{{ .SNAPSHOT_CMD }}"
snapshot-smoke-test:
desc: Run a smoke test on the snapshot builds + docker images
cmds:
- cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
silent: true
- cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
silent: true
- "{{ .SNAPSHOT_BIN }} version"
- "{{ .SNAPSHOT_BIN }} scan alpine:latest"
- docker run --rm anchore/syft:latest version
- docker run --rm anchore/syft:latest scan alpine:latest
changelog: changelog:
desc: Generate a changelog desc: Generate a changelog
deps: [tools] deps: [tools]