How To: Vulnerability Scanning of Singularity Containers with Syft and Grype

Aug 4, 2022 | How To Guides

Syft and Grype are two open source projects, led by Anchore, that can generate a Software Bill of Materials (SBOM) for a container, and then analyze the SBOM to identify vulnerabilities. Over the past few months we’ve had a great experience collaborating with Anchore to add support for the Singularity Image Format (SIF) to Syft, through the underlying stereoscope library.

We’re pleased to announce that SIF support has been merged into Syft, and you can now use these fantastic tools as part of your supply chain security strategy. They’re easy to integrate into CI/CD workflows, and can sit alongside Singularity’s signing and verification support to increase confidence that you are only running secure workloads on your critical systems.

Installing Syft & Grype

Let’s install the latest version of Syft, which includes the recently merged SIF support, following the instructions on the README, e.g.

 

$ curl -sSfL 
https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Change the /usr/local/bin to a path that is writable by the current user, and part of your PATH, so you can run Syft directly.

Now install the latest version of Grype, following the instructions on the README, e.g.

 

$ curl -sSfL 
https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Change the /usr/local/bin to a path that is writable by the current user, and part of your PATH, so you can run Grype directly.

Create an SBOM for a SIF image with Syft

We have a SIF container called ubuntu_latest.sif that we would like to scan for vulnerabilities. First we will generate an SBOM using Syft, that inventories the contents of the container. We’ll then be able to use this SBOM for vulnerability analysis at any point in the future, without needing to re-scan the container image itself.

$ syft singularity:ubuntu_latest.sif -o cyclonedx-json=ubuntu_latest.sbom.cdx.json
 ✔ Parsed image
 ✔ Cataloged packages  	[101 packages]

Note that we prefix the SIF image name with singularity: and we are asking Syft to output a CycloneDX JSON format SBOM, which is a common and broadly adopted standard.

Identify vulnerabilities with Grype

We can now process the SBOM with Grype to identify any known vulnerabilities the image contains. We can do this periodically, to keep track of the security of the image as it ages. The SBOM file is all we need – we don’t need to scan the image again.

Note that we prefix the SBOM file with SBOM: as Grype can also work against images directly. However SIF support hasn’t reached it yet, and scanning an SBOM is more flexible and performant for periodic review of image security over time.

$ grype sbom:ubuntu_latest.sbom.cdx.json
 ✔ Vulnerability DB    	[no update available]
 ✔ Scanned image       	[26 vulnerabilities]
NAME         	INSTALLED             	FIXED-IN       	TYPE  VULNERABILITY   SEVERITY
coreutils    	8.32-4.1ubuntu1                          	deb   CVE-2016-2781   Low
e2fsprogs    	1.46.5-2ubuntu1       	1.46.5-2ubuntu1.1  deb   CVE-2022-1304   Medium
gpgv         	2.2.27-3ubuntu2       	2.2.27-3ubuntu2.1  deb   CVE-2022-34903  Medium
libc-bin     	2.35-0ubuntu3                            	deb   CVE-2016-20013  Negligible
libc6        	2.35-0ubuntu3                            	deb   CVE-2016-20013  Negligible
libcom-err2  	1.46.5-2ubuntu1       	1.46.5-2ubuntu1.1  deb   CVE-2022-1304   Medium
libext2fs2   	1.46.5-2ubuntu1       	1.46.5-2ubuntu1.1  deb   CVE-2022-1304   Medium
libgmp10     	2:6.2.1+dfsg-3ubuntu1                    	deb   CVE-2021-43618  Low
...

There are 26 vulnerabilities in this image, ranging from negligible to medium severity. Grype lets us know if a fix is available from a distribution package, and gives us the CVE number for further review.

Summary

First class SIF support in syft opens up new, easier workflows for vulnerability scanning of Singularity containers, as well inventory / audit processes that are increasingly important to users and institutions focused on supply chain security.

We’d like to thank Anchore for all of their help in landing support for SIF in stereoscope and Syft. Sylabs is committed to working with prominent projects in the OCI world, so that users can benefit from the unique features of SIF, while leveraging tools from the wider OCI ecosystem.

Join Our Mailing List

Related Posts

Pin It on Pinterest