Container scanning in dagger | Dagger | Page 1

scenic sedge Jan 3, 2024, 11:24 AM

#

Heya @wind rose!

Just for completeness, there's also an option 3: if your container scanner supports scanning unpacked filesystems on disk you could just get the root filesystem of the container and scan that - this is the most efficient for dagger, since no export step needs to take place.

But also, sometimes the layers are important details for the container scnaning (e.g. the layer ids might be used) - if those are important, you probably want to do 2, since then that's the same as your final production image.

You can still run everything inside dagger - you can export the image and tag it, and then scan on it (using snyk inside dagger).

wind rose Jan 3, 2024, 11:37 AM

#

Sadly snyk doesn't support unpacked filesystems. Or well it does, but isn't as intelligent as actually knowing that it stems from an image.

I guess 2 is the most sane way. I've already gotten snyk to work in dagger, so that is not a problem. Only that it needs an image. We'll take some penalty in that we may or may not have to pull the image after it has been published, but I guess that is fine. Rather that then have to fiddle around with tarballs.

velvet dust Jan 3, 2024, 12:56 PM

#

👋 Snyk supports scanning OCI archives, so with Dagger you can get a tar from your *dagger.Container with the AsTarball method without exporing it to your local filesystem and then scan that via snyk (https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-container/advanced-snyk-container-cli-usage#scan-archives)

Advanced use of Snyk Container CLI

wind rose Jan 3, 2024, 1:02 PM

#

Shouldve clicked on advanced container scanning... thanks a lot. I will give it a go

wind rose Jan 5, 2024, 4:32 PM

#

Fyi if anyone else is searching this up. Snak only supports ociv1 images. While dagger with buildkit only seems to support ociv2 format. Might be wrong though but i couldnt get them to play nice with each other. So I just exported the ociv2 tarball. Loaded it into docker proper with docker load. Got the sha put and had snyk use that.

Snyk has some interesting cli conventions so it tool a while to debug. One of them being that it will only report the opposite of what you want. I.e. oci-archive will fail with docker archive invalid. And vice versa.

scenic sedge Jan 5, 2024, 4:43 PM

#

out of curiosity, what do you mean by ociv2? there is no ociv2

#

see https://github.com/opencontainers/image-spec/tags

velvet dust Jan 5, 2024, 4:45 PM

#

I'd assume he might be referring to media types

#

@wind rose if you use the DockerMediaType in the Export / AsTarball call here: https://pkg.go.dev/dagger.io/dagger#ContainerAsTarballOpts. maybe that will make snyk happy about the OCI artifact: https://pkg.go.dev/dagger.io/dagger#ImageMediaTypes

wind rose Jan 5, 2024, 7:58 PM

#

Yep I've tried pretty much all the options. Nothing seemed to play ball. As far as I can tell. With the docker option it still keeps the same file structure. The type will just either be docker or oci v2.

Snyk really wants the file structure to be .tar with layers in the root of the tar ball. Where dagger only would allow blob/sha256/<sha>.

@scenic sedge you are correct in that the version is still 1.x, however in the media types in the file structure, there are some differences. The manifest in there will say something like. opencontainers.oci.v2 or opencontainers.docker.v2. I don't have my files on hand atm. So it may be slightly off.

#

I will find the actual example monday. When I am back at work

scenic sedge Jan 5, 2024, 7:58 PM

#

oh i see

#

right, it's schemav1 images then - yeah, buildkit doesn't produce these, since they've been deprecated for quite a while - i'm really surprised that snyk doesn't support scanning schemav2

wind rose Jan 5, 2024, 7:59 PM

#

Also I think most of these issues are on snyks hand. As they're reimplementing the oci spec in node.

#

I'd like to contribute upstream to snyk to support these newer manifests. But I don't really want to spend company time implementing the new spec for them. Not when I've actually found a worthwhile workaround.

scenic sedge Jan 5, 2024, 8:03 PM

#

here's another very hacky workaround you could try - you could create AsTarball image, and then use something like https://github.com/containers/skopeo to upload the image to a registry (which you could run inside dagger using a service) - then snyk can scan the image in your local registry

GitHub

GitHub - containers/skopeo: Work with remote images registries - re...

Work with remote images registries - retrieving information, images, signing content - GitHub - containers/skopeo: Work with remote images registries - retrieving information, images, signing content

#

it's super hacky sorry, but it might work? as long as snyk doesn't need the registry to be publicly accessible

#

that's the best i can come up with at the moment sadly

wind rose Jan 5, 2024, 8:04 PM

#

Ah well. I've just mounted the docker sock, so that it is available. And in the local registry anyways. That works fine for our needs.

scenic sedge Jan 5, 2024, 8:05 PM

#

ahh glad you found a way to make it work!

wind rose Jan 5, 2024, 8:06 PM

#

Yeah. It is still a little janky, as you need the docker sock available to run out stuff. But we need it for other things as well, so it isn't a huge deal.

#

I'd be nice though to just extract a tarball, and let snyk scan it, but it doesn't matter too much that it isn't as clean as we'd like.

velvet dust Jan 7, 2024, 4:41 PM

#

@wind rose this seemed to work for me:

package main

import (
    "context"
    "os"

    "dagger.io/dagger"
)

func main() {
    ctx := context.Background()

    // initialize Dagger client
    client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))
    if err != nil {
        panic(err)
    }
    defer client.Close()

    client.Container().From("snyk/snyk:linux").
        WithEnvVariable("SNYK_TOKEN", "$TOKEN").
        WithMountedFile("/image.tar", client.Container().From("alpine").AsTarball()).
        WithExec([]string{"snyk", "container", "test", "oci-archive:/image.tar"}).Sync(ctx)
}

#

19: exec /usr/local/bin/docker-entrypoint.sh snyk container test oci-archive:/image.tar
19: [3.65s] 
19: [3.65s] Testing oci-archive:/image.tar...
19: [3.65s] 
19: [3.65s] Organization:      marcosnils
19: [3.65s] Package manager:   apk
19: [3.65s] Project name:      docker-image|image.tar
19: [3.65s] Docker image:      oci-archive:/image.tar
19: [3.65s] Platform:          linux/amd64
19: [3.65s] Base image:        alpine:3.19.0
19: [3.65s] Licenses:          enabled
19: [3.65s] 
19: [3.65s] ✔ Tested 15 dependencies for known issues, no vulnerable paths found.
19: [3.65s] 
19: [3.65s] According to our scan, you are currently using the most secure version of the selected base image
19: [3.65s] 
19: [3.65s] 
19: exec /usr/local/bin/docker-entrypoint.sh snyk container test oci-archive:/image.tar DONE

wondering how you're triggering the OCI v2 thing

wind rose Jan 7, 2024, 8:40 PM

#

I will have a look tomorrow. I don't have the code on hand atm. The only difference I can see right now is that I used AsTarball( /* options */). I even tried to download and save a raw debian image, and that worked. But the image produced by dagger wouldn't work. But anyways. I will send it tomorrow 😄

I did use snyk/snyk:docker-19 though.

muted sleet Apr 1, 2025, 6:20 AM

#

wind rose Ah well. I've just mounted the docker sock, so that it is available. And in the ...

Hi @wind rose , how did you mount the docker sock? Did you used the docker:dind image as a service in dagger?

scenic sedge Apr 1, 2025, 6:33 AM

#

you can also pass the host docker socket to the function

#

if the function takes a dagger.Socket type

wind rose Apr 1, 2025, 6:39 AM

#

I believe this was back when i didnt use modules so i just passed it in as a docker type or using the docker API.

#

Modules should be the same however

#Container scanning in dagger