Scan images in Kubernetes manifest(s)

[MPV]

What would you like to be added:

I’d like to be able to point Syft towards a file/folder of Kubernetes manifests and get results of CVEs etc for that/those images referred to in those manifests.

Why is this needed:

To make use of Syft for things I’m not building myself but still using. Also not running the scan at runtime but shifting left so I can see CVE differences etc in my PRs, Dependabot Alerts etc.

Additional context:

[tgerla]

Hi @MPV, thanks for the suggestion. Usually Syft only scans one image at a time and produces an SBOM for a particular image, as opposed to a set of images. Would it work for your use case if there was a higher-level script that extracted a list of images referred to in a Kubernetes manifest and then looped over each one with Syft to create a set of SBOMs?

[MPV]

Hi @MPV, thanks for the suggestion. Usually Syft only scans one image at a time and produces an SBOM for a particular image, as opposed to a set of images. Would it work for your use case if there was a higher-level script that extracted a list of images referred to in a Kubernetes manifest and then looped over each one with Syft to create a set of SBOMs?

@tgerla Yeah that also makes sense. I guess either solution also needs to be good (enough) at finding the image(s) from manifest(s).

Maybe there's something that's already good at that (and thus can just be combined with this), any ideas...? 🤔

[tgerla]

I thought the easiest way might be with a jq query on the JSON version of the Kubernetes manifest. Here is a prototype bash script that you might start with: https://gist.github.com/tgerla/3065156018f697e0040e80bee8fe7daf

I've only tested this on one single manifest (below the script in the gist) and I'm not really familiar with the manifest format, but this might be a good start! There might be a more "kubernetes-style" way to do this. Hope it is useful!

[willmurphyscode]

Discussion notes:

• There a few situations where Syft/Grype might be asked to scan multiple images (kubernetes manifest, docker-compose.yml, multi-arch image, probably others)
• Doing so is a bit challenging in terms of performance, how to represent the output, and how to handle command line UX.

Is there anything we want to or could do here?

[willmurphyscode]

It seems like there's probably not a great way to implement this within the Syft 1.0 compatability window, because Syft's CLI and API currently have no way of representing multiple sources within a single execution. We could resume discussion as part of Syft 2.0 planning.

My intuition is that this functionality belongs outside Syft. For example, a small program or script that pulls all the declared images out of the kubernetes manifest and invokes Syft on them separately, such as @tgerla suggested at #2729 (comment).

[willmurphyscode]

We had a similar discussion on #1683, and it seems like another path forward might be to make a new package type for an OCI image. Then we could have a single source object that describes the kubernetes manifest, and each image it would pull could be an artifact in it, and those images could have packages within them. This could be represented in Syft's data model by having contains relationships from the manifest to the images, and then from the images to the packages that were found in them. We could make an additive changing of adding an image ID, similar to layer ID, to the file coordinates, which are already a tuple of (layer, path) and would need to be (image, layer, path). This might be a big change, but it might also unlock building SBOMs for systems that consist of multiple images.