Containerisation has revolutionised the software industry by enabling developers to build, test, and deploy applications more efficiently. However, container security has become a crucial aspect of the development process, as it is essential to ensure that containerised applications are free from vulnerabilities and malware.
Anchore is a platform that helps developers and security teams automate container security workflows. It provides open-source and enterprise-level components.
In this blog post, we will be discussing what is the purpose of Anchore’s two open-source tools for container security Syft and Grype and how to use these tools to run vulnerability and malware checks against our containers.
Anchore Syft is a command-line tool that performs software bill of materials (SBOM) analysis on container images. Syft analyses container images and generates an SBOM, which is a list of all the software components and dependencies that are present in the container image. The SBOM helps to identify potential vulnerabilities and issues with the container image.
Anchore Grype is a command-line tool that performs vulnerability scanning on container images. Grype analyses container images and identifies vulnerabilities in the software components and dependencies that are present in the container image.
Grype provides a comprehensive vulnerability report listing all the vulnerabilities in the container image. The report includes details such as severity, CVSS score, and affected software components.
Both Syft and Grype support multiple image formats, including Docker, OCI, and ACI, and can be integrated into various CI/CD pipelines to automate container security checks.
They also provide integration with various vulnerability databases, such as the National Vulnerability Database (NVD) and the Red Hat Security Data API. This integration enables Syft to provide more accurate vulnerability information and allows developers to take appropriate actions to remediate vulnerabilities.
Here's an example of how to use Anchore Syft and Anchore Grype to analyse and scan container images:
Before getting started with this hands-on example, you'll need to have the following prerequisites installed:
You can install Anchore Syft and Anchore Grype by following the instructions in the Anchore documentation:
Anchore Syft: https://github.com/anchore/syft#installation
Anchore Grype: https://github.com/anchore/grype#installation
To analyse a container image with Anchore Syft, follow these steps:
1. Pull a container image that you want to analyse. For example, you can pull the "alpine" image by running the following command:2. Run Anchore Syft on the container image by running the following command:
The commands are related to the “syft” tool, which is used to inspect and analyse software packages and their dependencies. Specifically, these commands are used to retrieve information about packages in the “Alpine Linux” distribution.
Here's a breakdown of the other commands you can use and their purposes:
To summarise the discovered packages in the Alpine Linux distribution. It does not provide any additional details about the packages.
To show all possible cataloguing details for the discovered packages in the Alpine Linux distribution in JSON format
Syft also supports different types of output formats. CycloneDX format is one of them. CycloneDX is a software bill of materials (SBOM) format designed to provide a standard way of describing the components, dependencies, and metadata of a software project. It is intended to be language -and tool-agnostic, machine-readable, and can be generated automatically as part of the build process.
The CycloneDX format includes information about the components used in a software project, including their names, versions, licenses, dependencies, and metadata about the project itself. Tools and platforms widely support it and can help improve software supply chain security, reduce risk, and increase transparency.
To show a CycloneDX formatted Software Bill of Materials (SBOM) for the discovered packages in the Alpine Linux distribution.
To show a CycloneDX JSON formatted SBOM for the discovered packages in the Alpine Linux distribution.
SPDX (Software Package Data Exchange) is another Syft-supported output format that is a standard format for describing software packages' contents, licenses, and copyrights. It includes standard fields for describing software packages and a unique identifier for each package, which can be used to track it throughout its lifecycle.
The SPDX format is designed to be machine-readable and can be used by tools and platforms to automate the management and tracking of software packages. It can also improve transparency and collaboration between stakeholders in the software supply chain, reducing legal and compliance risks.
To show an SPDX 2.3 Tag-Value formatted SBOM for the discovered packages in the Alpine Linux distribution.
To show an SPDX 2.3 JSON formatted SBOM for the discovered packages in the Alpine Linux distribution.
To show an SBOM formatted according to a given template file named my_format.tmpl. The format of the SBOM is based on the contents of the template file.
Here's an example of what a my_format.tmpl file could look like:
This template file will produce an SBOM in a format that includes the name, version, and license information for each package, as well as any dependencies that each package has. The output will be in plain text format and can be redirected to a file or piped to another command for further processing.
The extension for this template file could be .tmpl or .txt, but it's not a strict requirement. You can name it whatever you prefer, as long as you specify the correct filename when running the syft packages command with the -t flag.
To scan a container image with Anchore Grype, follow these steps:
1. Pull a container image that you want to scan. For example, you can pull the "alpine" image by running the following command:2. Run Anchore Grype on the container image by running the following command:
This will scan the "alpine" container image and identify any vulnerabilities in the software
components and dependencies that are present in the container image.
These commands are related to the “grype” tool, which is a vulnerability scanner for container images and file systems. The commands specify how to scan container images using different input methods.
Here's an explanation of each command and its purpose:
To explicitly use the Podman daemon to scan the specified container image.
To use the Docker daemon to scan the specified container image.
To use a tarball from disk for archives created from "docker save" to scan the container image.
To use a tarball from disk for OCI archives (from Podman or otherwise) to scan the container image.
To read directly from a path on disk for OCI layout directories (from Skopeo or otherwise) to scan the container image.
To read directly from a path on disk for any directory. It can be used to scan the contents of a file system for vulnerabilities.
Grype allows us to use Syft outputs as an input of Grype to run vulnerability analysis of the packages listed in the Syft output.
To read a Syft JSON file from a path on disk to scan the container image you can use the following command. As we mentioned, Syft is a library for generating Software Bill of Materials (SBOMs) and is used by Grype to scan container images for vulnerabilities.
You can use the following command to pull the container image directly from a registry without requiring a container runtime. This can be useful when you don't have access to a container runtime or don't want to use one.
In this hands-on example, we've demonstrated how to use Anchore Syft and Anchore Grype to analyse and scan container images. Anchore Syft generates a software bill of materials (SBOM) for container images, which helps to identify potential vulnerabilities and issues with the container image. Anchore Grype scans container images and identifies vulnerabilities in the software components and dependencies that are present in the container image.
Container security is a crucial aspect of the software development process, and tools like Anchore Syft and Anchore Grype can help developers and security teams automate container security workflows. Syft helps to generate an SBOM for container images, which enables developers to identify potential vulnerabilities and issues with the container image. Grype performs vulnerability scanning on container images and identifies vulnerabilities in the software components and dependencies that are present in the container image.
Using Anchore Syft and Anchore Grype, developers and security teams can automate container security workflows and ensure their containerised applications are free from vulnerabilities and malware.
Although Syft and Grype have powerful features which can be used as open-source, Anchore also has a commercial solution named Anchore Enterprise, which provides additional capabilities such as User Management, Customized Policy Rules, Report Generation, Continuous Scanning and Analysis through an effective UI.
You can always contact us to learn more about Anchore Enterprise.