But there are other ways as well, we can build and run the image as well. Docker has made our life way easier than we can think of. With the contents extracted, syft will list out every package and dependency found in the image ( Figure 1).Whenever we think about building or running a container, the first tool that comes to our mind is Docker and it's perfectly fine. Once syft pulls down the image, it will load it and extract the contents. Let’s run syft against AlmaLinux with the command: Do that you’ll use syft to not only generate the SBOM but to pull down the image (although you can generate an SBOM with an image that has already been pulled). Let’s say you want to build a cloud native application based on the official AlmaLinux image. You should see the help information listed. Make sure the installation is complete by issuing the command: Next, you need to move the syft binary to a directory in your $PATH. Change into that directory with:Ĭreate the executable binary with the command: You should now see a new directory, name syft. Once git is installed, you’ll then clone the syft repository with the command: For that, log into your server and issue the command: I’ll be demonstrating on Ubuntu Server 20.04, but the tool can be used on any platform that supports Docker. That means every single package installed can be verified for security.Īnd because syft supports most package formats (including APK, DEB, RPM, Ruby Bundles, Python Wheel/Egg/requirements.txt, JavaScript NPM/Yarn, Java JAR/EAR/WAR, Jenkins plugins JPI/HPI, Go modules), it should work on most container images. What’s better, syft doesn’t just list the name of the included package, it also adds the version number. Once you have that SBOM you can present it to those who need the list, so they can verify everything included in the image meets company requirements and/or security policies. With syft you can have it pull down images and extract a full SBOM very quickly. One such tool is called syft, from Anchore. So what do you do? Fortunately, there are tools available that make creating a Software Bill of Materials quite easy. Given how incredibly busy developers are, that’s a big ask. You don’t want to have to do that for every image you create. But only if the dpkg and wc commands are included with that base image, you might see the output. Sure, you could deploy a container based on the image, access the container, and then issue the command. To make this more complicated, you can’t easily run that command on a container image. I am told there are 3,008 packages installed. Why? Because how many packages and dependencies go into creating a Linux container image? Take, for instance, Pop!_OS (which is my daily driver). Simply put, an SBOM is a full listing of every package and dependency that goes into making a container image. That piece is a Software Bill Of Materials (SBOM). And sure, you can use various tools to scan those images for vulnerabilities, but it’s become quite clear that one particular piece of the puzzle is now in demand. But here’s the thing, those images are created by everyone, from individuals to large enterprise corporations. If you’re not using trustworthy images, your entire stack could be compromised. This is especially true in the cloud native world, where containers and Kubernetes are moving targets for insecurity.īut it all starts with one place… container images. To do that is no simple matter because there are so many moving parts involved. The gist, however, is that it’s become absolutely necessary for companies to be able to secure their supply chains. You can read the cybersecurity executive order in its entirety, so you’re familiar with everything it details. Whitehouse launched a cybersecurity initiative to help guide developers and businesses. This has hard-hitting and long-lasting ramifications on commerce that could seriously impact businesses across the country (and the globe).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |