https://github.com/docker/buildkit-syft-scanner

BuildKit Syft scanner
https://github.com/docker/buildkit-syft-scanner

Last synced: 10 months ago
JSON representation

BuildKit Syft scanner

• Host: GitHub
• URL: https://github.com/docker/buildkit-syft-scanner
• Owner: docker
• License: apache-2.0
• Created: 2022-11-18T16:37:33.000Z (about 3 years ago)
• Default Branch: master
• Last Pushed: 2025-01-23T05:46:54.000Z (12 months ago)
• Last Synced: 2025-03-29T03:06:05.651Z (10 months ago)
• Language: Go
• Homepage: https://hub.docker.com/r/docker/buildkit-syft-scanner/tags
• Size: 57.3 MB
• Stars: 29
• Watchers: 7
• Forks: 10
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          
# BuildKit Syft scanner

This repo packages the [Syft scanner](https://github.com/anchore/syft) as a

[BuildKit SBOM generator](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md)

to include scan results with the output of Docker builds.

The [docker/buildkit-syft-scanner](https://hub.docker.com/r/docker/buildkit-syft-scanner)

image implements the BuildKit SBOM scanner protocol defined

[here](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom-protocol.md).

## Usage

To scan an image during build with [buildctl](https://github.com/moby/buildkit):

    $ buildctl build ... \

        --output type=image,name=,push=true \

        --opt attest:sbom=generator=docker/buildkit-syft-scanner

## Development

`buildkit-syft-scanner` uses bake to build the project.

To setup a development environment by cloning the git repository:

    $ git clone https://github.com/docker/buildkit-syft-scanner.git

    $ cd buildkit-syft-scanner

It's recommended to setup an ephemeral local registry to push the development

image to:

    $ docker run -d -p 5000:5000 --rm --name registry registry:2

To build the development image, and push it to `localhost:5000/buildkit-syft-scanner:dev`:

    $ make dev IMAGE=localhost:5000/buildkit-syft-scanner:dev 

To test the development image:

    $ make examples IMAGE=localhost:5000/buildkit-syft-scanner:dev 

To scan an image during build with [buildctl](https://github.com/moby/buildkit)

using the development image:

    $ buildctl build ... \

        --output type=image,name=,push=true \

        --opt attest:sbom=generator=localhost:5000/buildkit-syft-scanner:dev

## Contributing

Want to contribute? Awesome!

`buildkit-syft-scanner` is mostly glue between [BuildKit](https://github.com/moby/buildkit)

and [Syft](https://github.com/anchore/syft), so contributions will mostly

likely belong in one of those projects. This project is intended to be as thin

a compatibility layer as possible, so we have a strong preference for as little

code here as possible.