Allow creation of SBOM in ACR by using 'docker sbom' about acr HOT 10 OPEN

@davidguidali,
Can you try below CLI command? You can refer other SBOM generation CLI tools like Trivy as well, given example is for Syft which is also used by docker for now, per their documentation.
az acr run --registry --cmd 'docker.io/anchore/syft myimage' /dev/null

from acr.

@davidguidali, Can you try below CLI command? You can refer other SBOM generation CLI tools like Trivy as well, given example is for Syft which is also used by docker for now, per their documentation. az acr run --registry --cmd 'docker.io/anchore/syft myimage' /dev/null

Cool thanks, that works! I did:

az acr run --registry myregistry --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json' /dev/null

However, I'm a little bit confused, how does the syft container know about 'myimage'`? Does he pull it? And if so, how does he get the credentials to pull it?

from acr.

@davidguidali, Can you try below CLI command? You can refer other SBOM generation CLI tools like Trivy as well, given example is for Syft which is also used by docker for now, per their documentation. az acr run --registry --cmd 'docker.io/anchore/syft myimage' /dev/null

Cool thanks, that works! I did:

az acr run --registry myregistry --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json' /dev/null

However, I'm a little bit confused, how does the syft container know about 'myimage'`? Does he pull it? And if so, how does he get the credentials to pull it?

Syft image is pulled within the container post the registry login is successful. Then, the ACR task uses the downloaded Syft CLI to execute the command over the authenticated registry's referred image.

from acr.

Yeah I got this part, but doesnt the Syft CLI run within the Syft container? So how does this syft container know about the ACR?
I mean, if I am within a container usually I don't know anything about the environment where its running on, so is configuration somehow magically mounted into the Syft container? So how does the syft cli within the container know the credentials of the ACR?

from acr.

maybe @northtyphoon or @juliusl know more. But might be because the syft CLI is able to pick up the docker creds from the home mount - https://github.com/Azure/acr-builder/blob/18cda98fd073203ca070835bc04e4672eef31ee0/builder/context.go#L91C11-L91C11

from acr.

@davidguidali Do you still have questions on this issue? I would like to understand more about your scenarios. Feel free to contact me by mail at [email protected] if you want to have further discussions.

from acr.

@davidguidali Do you still have questions on this issue? I would like to understand more about your scenarios. Feel free to contact me by mail at [email protected] if you want to have further discussions.

Hi @yizha1
Thanks. I'm still not 100% sure how syft CLI is able to the docker CLI from within the container without explicitly mounting some sockets etc. (or use docker in docker), or does syft CLI not need to access docker explicitly to scan images? However, since my solution works, these questions are based more on my personal curiosity and not that important. :)

For the scenario: We have a CI/CD pipeline in GitLab where we use multiple Linux runners to build our code, run tests etc.
However, none of these runners have docker installed. Instead, we build our images using az acr build. Now we want to create SBOM files for our images and upload them to our instance of Dependency Track. However, we tried to find a solution where we don't need to install Docker or Syft on our agents, so we thought it would be nice to just be able to create the SBOM files by using the ACR capabilities. We solved it now by calling az acr run --registry myregistry --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json' /dev/null, parsing the resulting output, extracting the SBOM Json and storing it as a file.
Works like a charm so far.

from acr.

The containers launched in cmd (eg, docker.io/anchore/syft in your case --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json') automatically have docker daemon socket mounted.

from acr.

@davidguidali Did previous comment answer your question? Feel free to drop me a mail if you would like to discuss more about SBOM, and other secure supply chain related artifacts or solutions. Here is Containers Secure Supply Chain Framework document you may be interested in. Thanks.

from acr.

@davidguidali Did previous comment answer your question? Feel free to drop me a mail if you would like to discuss more about SBOM, and other secure supply chain related artifacts or solutions. Here is Containers Secure Supply Chain Framework document you may be interested in. Thanks.

Yes thanks, everything is clear now. However, it would be useful to use "docker sbom" directly, so I guess the feature request stays valid.

from acr.