Open Source Container Security: Anchore - Syft & Grype

Containerisation has revolutionised the software industry by enabling developers to build, test, and deploy applications more efficiently. However, container security has become a crucial aspect of the development process, as it is essential to ensure that containerised applications are free from vulnerabilities and malware.

Anchore is a platform that helps developers and security teams automate container security workflows. It provides open-source and enterprise-level components.

In this blog post, we will be discussing what is the purpose of Anchore’s two open-source tools for container security Syft and Grype and how to use these tools to run vulnerability and malware checks against our containers.

Anchore Syft

Anchore Syft is a command-line tool that performs software bill of materials (SBOM) analysis on container images. Syft analyses container images and generates an SBOM, which is a list of all the software components and dependencies that are present in the container image. The SBOM helps to identify potential vulnerabilities and issues with the container image.

Anchore Grype

Anchore Grype is a command-line tool that performs vulnerability scanning on container images. Grype analyses container images and identifies vulnerabilities in the software components and dependencies that are present in the container image.

Grype provides a comprehensive vulnerability report listing all the vulnerabilities in the container image. The report includes details such as severity, CVSS score, and affected software components.

Both Syft and Grype support multiple image formats, including Docker, OCI, and ACI, and can be integrated into various CI/CD pipelines to automate container security checks.

They also provide integration with various vulnerability databases, such as the National Vulnerability Database (NVD) and the Red Hat Security Data API. This integration enables Syft to provide more accurate vulnerability information and allows developers to take appropriate actions to remediate vulnerabilities.

Hands-On

Here's an example of how to use Anchore Syft and Anchore Grype to analyse and scan container images:

Prerequisites

Before getting started with this hands-on example, you'll need to have the following prerequisites installed:

• Docker
• Anchore Syft
• Anchore Grype

You can install Anchore Syft and Anchore Grype by following the instructions in the Anchore documentation:

Anchore Syft: https://github.com/anchore/syft#installation

Anchore Grype: https://github.com/anchore/grype#installation

Analysing a Container Image with Anchore Syft

To analyse a container image with Anchore Syft, follow these steps:

docker pull alpine

2. Run Anchore Syft on the container image by running the following command:

  $ syft packages alpine:latest
  ✔ Loaded image
  ✔ Parsed image
  ✔ Cataloged packages      [16 packages]
 
 NAME                    VERSION      TYPE
 alpine-baselayout       3.4.0-r0     apk
 alpine-baselayout-data  3.4.0-r0     apk
 alpine-keys             2.4-r1       apk
 apk-tools               2.12.10-r1   apk
 busybox                 1.35.0       binary
 busybox                 1.35.0-r29   apk
 busybox-binsh           1.35.0-r29   apk
 ca-certificates-bundle  20220614-r4  apk
 libc-utils              0.7.2-r3     apk
 libcrypto3              3.0.8-r3     apk
 libssl3                 3.0.8-r3     apk
 musl                    1.2.3-r4     apk
 musl-utils              1.2.3-r4     apk
 scanelf                 1.3.5-r1     apk
 ssl_client              1.35.0-r29   apk
 zlib                    1.2.13-r0    apk

The commands are related to the “syft” tool, which is used to inspect and analyse software packages and their dependencies. Specifically, these commands are used to retrieve information about packages in the “Alpine Linux” distribution.

Here's a breakdown of the other commands you can use and their purposes:

To summarise the discovered packages in the Alpine Linux distribution. It does not provide any additional details about the packages.

syft packages alpine:latest

To show all possible cataloguing details for the discovered packages in the Alpine Linux distribution in JSON format

syft packages alpine:latest -o json

Syft also supports different types of output formats. CycloneDX format is one of them. CycloneDX is a software bill of materials (SBOM) format designed to provide a standard way of describing the components, dependencies, and metadata of a software project. It is intended to be language -and tool-agnostic, machine-readable, and can be generated automatically as part of the build process.

The CycloneDX format includes information about the components used in a software project, including their names, versions, licenses, dependencies, and metadata about the project itself. Tools and platforms widely support it and can help improve software supply chain security, reduce risk, and increase transparency.

To show a CycloneDX formatted Software Bill of Materials (SBOM) for the discovered packages in the Alpine Linux distribution.

$ syft packages alpine:latest -o cyclonedx

    ✔ Parsed image
    ✔ Cataloged packages      [16 packages]
  <xml>
   <!--?xml version="1.0" encoding="UTF-8"?-->
   <bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialnumber="urn:uuid:d5551acc-f243-49bb-b68f-dd17b87ea772" version="1">
     <metadata>
       <timestamp>2023-05-09T15:14:29+01:00</timestamp>
       <tools>
         <tool>
           <vendor>anchore</vendor>
           <name>syft</name>
           <version>0.79.0</version>
         </tool>
       </tools>
       <component bom-ref="c235bea5774febf0" type="container">
         <name>alpine:latest</name>
         <version>sha256:b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11</version>
       </component>
     </metadata>
    </bom></xml>
   .
   .
   . 
   (The long output was shortened.)

To show a CycloneDX JSON formatted SBOM for the discovered packages in the Alpine Linux distribution.

syft packages alpine:latest -o cyclonedx-json

SPDX (Software Package Data Exchange) is another Syft-supported output format that is a standard format for describing software packages' contents, licenses, and copyrights. It includes standard fields for describing software packages and a unique identifier for each package, which can be used to track it throughout its lifecycle.

The SPDX format is designed to be machine-readable and can be used by tools and platforms to automate the management and tracking of software packages. It can also improve transparency and collaboration between stakeholders in the software supply chain, reducing legal and compliance risks.

To show an SPDX 2.3 Tag-Value formatted SBOM for the discovered packages in the Alpine Linux distribution.

$ syft packages alpine:latest -o spdx

 ✔ Parsed image
 ✔ Cataloged packages      [16 packages]

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: alpine:latest
DocumentNamespace: https://anchore.com/syft/image/alpine-latest-16733020-68e6-4bfd-bfd7-bbed3825f0d5
LicenseListVersion: 3.20
Creator: Organization: Anchore, Inc
Creator: Tool: syft-0.79.0
Created: 2023-05-09T14:25:16Z

##### Unpackaged files

FileName: /etc/inittab
SPDXID: SPDXRef-1404dd0745f3bef1
FileChecksum: SHA1: 0000000000000000000000000000000000000000
LicenseConcluded: NOASSERTION
FileComment: layerID: sha256:26cbea5cba74143fbe6f584f5fc5321543155aedc4a434fcaa63b643877b5a74

.
.
.


##### Package: alpine-baselayout

PackageName: alpine-baselayout
SPDXID: SPDXRef-Package-apk-alpine-baselayout-82c109be53c209bb
PackageVersion: 3.4.0-r0
PackageOriginator: Person: Natanael Copa <ncopa@alpinelinux.org>
PackageDownloadLocation: https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout
FilesAnalyzed: false

.
.
.

##### Relationships

Relationship: SPDXRef-Package-apk-scanelf-16e98545260a6eff CONTAINS SPDXRef-5dd4613fe67331e2
Relationship: SPDXRef-Package-apk-scanelf-16e98545260a6eff OTHER SPDXRef-8bfe07ad293828b7
RelationshipComment: evident-by: indicates the package's existence is evident by the given file
Relationship: SPDXRef-Package-apk-scanelf-16e98545260a6eff DEPENDENCY_OF SPDXRef-Package-apk-musl-utils-9d8fd098b3de5203
Relationship: SPDXRef-Package-apk-musl-28a3ab1f54575ecc DEPENDENCY_OF SPDXRef-Package-apk-scanelf-16e98545260a6eff
Relationship: SPDXRef-Package-apk-musl-28a3ab1f54575ecc DEPENDENCY_OF SPDXRef-Package-apk-ssl-client-4f13aec167fde353
Relationship: SPDXRef-Package-apk-musl-28a3ab1f54575ecc DEPENDENCY_OF SPDXRef-Package-apk-zlib-7a12bd3759e45c1e
Relationship: SPDXRef-Package-apk-musl-28a3ab1f54575ecc DEPENDENCY_OF SPDXRef-Package-apk-libssl3-82773226b4c34596

.
.
.
(The long output was shortened.)
</ncopa@alpinelinux.org>

To show an SPDX 2.3 JSON formatted SBOM for the discovered packages in the Alpine Linux distribution.

syft packages alpine:latest -o spdx-json

To show an SBOM formatted according to a given template file named my_format.tmpl. The format of the SBOM is based on the contents of the template file.

syft packages alpine:latest -o template -t my_format.tmpl

Here's an example of what a my_format.tmpl file could look like:

{ range . }
Package Name: { .Name }
Version: { .Version }
License: { .License }
{ if .Depends }
Dependencies:
{ range .Depends }
- { .Name } { .Version } { .License }
{ end }
{ end }
{ end }

This template file will produce an SBOM in a format that includes the name, version, and license information for each package, as well as any dependencies that each package has. The output will be in plain text format and can be redirected to a file or piped to another command for further processing.

The extension for this template file could be .tmpl or .txt, but it's not a strict requirement. You can name it whatever you prefer, as long as you specify the correct filename when running the syft packages command with the -t flag.

Scanning a Container Image with Anchore Grype

To scan a container image with Anchore Grype, follow these steps:

docker pull alpine

2. Run Anchore Grype on the container image by running the following command:

$ grype alpine:latest
 ✔ Vulnerability DB        [updated]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [16 packages]
 ✔ Scanning image...       [2 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible (2 unknown)
   └── 2 fixed

NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.8-r3   3.0.8-r4  apk   CVE-2023-1255  Unknown
libssl3     3.0.8-r3   3.0.8-r4  apk   CVE-2023-1255  Unknown

This will scan the "alpine" container image and identify any vulnerabilities in the software

components and dependencies that are present in the container image.

These commands are related to the “grype” tool, which is a vulnerability scanner for container images and file systems. The commands specify how to scan container images using different input methods.

Here's an explanation of each command and its purpose:

To explicitly use the Podman daemon to scan the specified container image.

grype podman:yourrepo/yourimage:tag

To use the Docker daemon to scan the specified container image.

grype docker:yourrepo/yourimage:tag

To use a tarball from disk for archives created from "docker save" to scan the container image.

grype docker-archive:path/to/yourimage.tar

To use a tarball from disk for OCI archives (from Podman or otherwise) to scan the container image.

grype oci-archive:path/to/yourimage.tar

To read directly from a path on disk for OCI layout directories (from Skopeo or otherwise) to scan the container image.

grype oci-dir:path/to/yourimage

To read directly from a path on disk for any directory. It can be used to scan the contents of a file system for vulnerabilities.

grype dir:path/to/yourproject

Grype allows us to use Syft outputs as an input of Grype to run vulnerability analysis of the packages listed in the Syft output.

To read a Syft JSON file from a path on disk to scan the container image you can use the following command. As we mentioned, Syft is a library for generating Software Bill of Materials (SBOMs) and is used by Grype to scan container images for vulnerabilities.

grype sbom:path/to/syft.json

You can use the following command to pull the container image directly from a registry without requiring a container runtime. This can be useful when you don't have access to a container runtime or don't want to use one.

grype registry:yourrepo/yourimage:tag

In this hands-on example, we've demonstrated how to use Anchore Syft and Anchore Grype to analyse and scan container images. Anchore Syft generates a software bill of materials (SBOM) for container images, which helps to identify potential vulnerabilities and issues with the container image. Anchore Grype scans container images and identifies vulnerabilities in the software components and dependencies that are present in the container image.

Conclusion

Container security is a crucial aspect of the software development process, and tools like Anchore Syft and Anchore Grype can help developers and security teams automate container security workflows. Syft helps to generate an SBOM for container images, which enables developers to identify potential vulnerabilities and issues with the container image. Grype performs vulnerability scanning on container images and identifies vulnerabilities in the software components and dependencies that are present in the container image.

Using Anchore Syft and Anchore Grype, developers and security teams can automate container security workflows and ensure their containerised applications are free from vulnerabilities and malware.

Although Syft and Grype have powerful features which can be used as open-source, Anchore also has a commercial solution named Anchore Enterprise, which provides additional capabilities such as User Management, Customized Policy Rules, Report Generation, Continuous Scanning and Analysis through an effective UI.

You can always contact us to learn more about Anchore Enterprise.