- Go 62.7%
- Dockerfile 17.7%
- HCL 11.1%
- Shell 6.5%
- Makefile 2%
|
|
||
|---|---|---|
| .github | ||
| cmd | ||
| examples | ||
| hack | ||
| internal | ||
| vendor | ||
| version | ||
| .gitignore | ||
| docker-bake.hcl | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
BuildKit Syft scanner
This repo packages the Syft scanner as a BuildKit SBOM generator to include scan results with the output of Docker builds.
The docker/buildkit-syft-scanner image implements the BuildKit SBOM scanner protocol defined here.
Usage
To scan an image during build with buildctl:
$ buildctl build ... \
--output type=image,name=<image>,push=true \
--opt attest:sbom=generator=docker/buildkit-syft-scanner
Development
buildkit-syft-scanner uses bake to build the project.
To setup a development environment by cloning the git repository:
$ git clone https://github.com/docker/buildkit-syft-scanner.git
$ cd buildkit-syft-scanner
It's recommended to setup an ephemeral local registry to push the development image to:
$ docker run -d -p 5000:5000 --rm --name registry registry:2
To build the development image, and push it to localhost:5000/buildkit-syft-scanner:dev:
$ make dev IMAGE=localhost:5000/buildkit-syft-scanner:dev
To test the development image:
$ make examples IMAGE=localhost:5000/buildkit-syft-scanner:dev
To scan an image during build with buildctl using the development image:
$ buildctl build ... \
--output type=image,name=<image>,push=true \
--opt attest:sbom=generator=localhost:5000/buildkit-syft-scanner:dev
Contributing
Want to contribute? Awesome!
buildkit-syft-scanner is mostly glue between BuildKit
and Syft, so contributions will mostly
likely belong in one of those projects. This project is intended to be as thin
a compatibility layer as possible, so we have a strong preference for as little
code here as possible.