Vulnerability scan the generated tar archive via snyk
1,178 views
Skip to first unread message
Dhaval Metrani
May 5, 2021, 8:44:59 PM5/5/21
to kaniko-users
I am not surer if the generated tar archive is oci compliant or not but looks like I was not able to scan this using snyk
Steps:
1 .Build container archive
docker run -v /Users/myuser/mycurrentfolder:/workspace gcr.io/kaniko-project/executor:v1.0.0 --dockerfile /workspace/Dockerfile --destination pocSnykTest:latest --tarPath=/workspace/build/pocSnykTest.tar --no-push
docker run -v /Users/myuser/mycurrentfolder:/workspace gcr.io/kaniko-project/executor:v1.0.0 --dockerfile /workspace/Dockerfile --destination pocSnykTest:latest --tarPath=/workspace/build/pocSnykTest.tar --no-push
2. Scan this
snyk container test oci-archive:build/pocsnyktest.tar -d
Output: Invalid OCI archive
3. Scan via docker-archive
snyk container test docker-archive:build/pocsnyktest.tar -d
Output: Invalid docker archive
4. If I load and save the same image via docker, it works.
snyk container test docker-archive:build/pocsnyktest.tar -d
Output: Invalid docker archive
4. If I load and save the same image via docker, it works.
docker load -i build/pocsnyktest.tar
docker save --output build/pocsnyktest2.tar pocsnyktest:latest
docker save --output build/pocsnyktest2.tar pocsnyktest:latest
snyk container test docker-archive:build/pocsnyktest2.tar
Works well
Questions:
1. Has anyone got to scan a kaniko generated tar image via snyk?
2. Is therer any workaround without using docker or any other runtime?
Reply all
Reply to author
Forward
0 new messages