Talking about security, questions arise:
- Are there any known vulnerabilities in the image?
- If there are known vulnerabilities, how severe are they?
- What actions should I take (if any) to improve the security of my image?
Ideally, a container image is free of vulnerabilities the moment it is built, but we must also consider the lifespan of that container. Will it be kept for future scientific endeavors, who will run it, and how may this affect the security of their environment? As new vulnerabilities are discovered, how can we check for them in our container image? SBOMs allow users to continuously scan for known vulnerabilities in their containers, and take action when appropriate.
Anchore’s
grype
is the perfect tool for directly scanning SIF images, here is an example on how to do that: