Syft and Grype are two open source projects, led by Anchore, that can generate a Software Bill of Materials (SBOM) for a container, and then analyze the SBOM to identify vulnerabilities. Over the past few months we’ve had a great experience collaborating with Anchore to add support for the Singularity Image Format (SIF) to Syft, through the underlying stereoscope library.
We’re pleased to announce that SIF support has been merged into Syft, and you can now use these fantastic tools as part of your supply chain security strategy. They’re easy to integrate into CI/CD workflows, and can sit alongside Singularity’s signing and verification support to increase confidence that you are only running secure workloads on your critical systems.
Let’s install the latest version of Syft, which includes the recently merged SIF support, following the instructions on the README, e.g.
$ curl -sSfL
https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Change the /usr/local/bin to a path that is writable by the current user, and part of your PATH, so you can run Syft directly.
Now install the latest version of Grype, following the instructions on the README, e.g.
$ curl -sSfL
https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
Change the /usr/local/bin to a path that is writable by the current user, and part of your PATH, so you can run Grype directly.
We have a SIF container called ubuntu_latest.sif that we would like to scan for vulnerabilities. First we will generate an SBOM using Syft, that inventories the contents of the container. We’ll then be able to use this SBOM for vulnerability analysis at any point in the future, without needing to re-scan the container image itself.
$ syft singularity:ubuntu_latest.sif -o cyclonedx-json=ubuntu_latest.sbom.cdx.json
✔ Parsed image
✔ Cataloged packages [101 packages]Note that we prefix the SIF image name with singularity: and we are asking Syft to output a CycloneDX JSON format SBOM, which is a common and broadly adopted standard.
We can now process the SBOM with Grype to identify any known vulnerabilities the image contains. We can do this periodically, to keep track of the security of the image as it ages. The SBOM file is all we need – we don’t need to scan the image again.
Note that we prefix the SBOM file with SBOM: as Grype can also work against images directly. However SIF support hasn’t reached it yet, and scanning an SBOM is more flexible and performant for periodic review of image security over time.
$ grype sbom:ubuntu_latest.sbom.cdx.json
✔ Vulnerability DB [no update available]
✔ Scanned image [26 vulnerabilities]
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
coreutils 8.32-4.1ubuntu1 deb CVE-2016-2781 Low
e2fsprogs 1.46.5-2ubuntu1 1.46.5-2ubuntu1.1 deb CVE-2022-1304 Medium
gpgv 2.2.27-3ubuntu2 2.2.27-3ubuntu2.1 deb CVE-2022-34903 Medium
libc-bin 2.35-0ubuntu3 deb CVE-2016-20013 Negligible
libc6 2.35-0ubuntu3 deb CVE-2016-20013 Negligible
libcom-err2 1.46.5-2ubuntu1 1.46.5-2ubuntu1.1 deb CVE-2022-1304 Medium
libext2fs2 1.46.5-2ubuntu1 1.46.5-2ubuntu1.1 deb CVE-2022-1304 Medium
libgmp10 2:6.2.1+dfsg-3ubuntu1 deb CVE-2021-43618 Low
...There are 26 vulnerabilities in this image, ranging from negligible to medium severity. Grype lets us know if a fix is available from a distribution package, and gives us the CVE number for further review.
First class SIF support in syft opens up new, easier workflows for vulnerability scanning of Singularity containers, as well inventory / audit processes that are increasingly important to users and institutions focused on supply chain security.
We’d like to thank Anchore for all of their help in landing support for SIF in stereoscope and Syft. Sylabs is committed to working with prominent projects in the OCI world, so that users can benefit from the unique features of SIF, while leveraging tools from the wider OCI ecosystem.
Singularity Container Services (SCS) is a free offering from Sylabs that assists you with: Keystore: This function allows you to store keys for signing images, proving your ownership over any image you sign. Container Library: This is a full OCI compliant registry,...
In this post, we will cover how to install SingularityCE on a macOS machine running on Apple Silicon (M1 /M2 and their variants). We will do this using the free and open-source UTM, which will allow us to run an ARM64 Linux virtual machine on macOS using native...
EPEL (Extra Packages for Enterprise Linux) is a repository of additional packages for Enterprise Linux, including Red Hat Enterprise Linux, AlmaLinux, Oracle Linux, Rocky Linux and others. By integrating SingularityCE with EPEL, starting with release 3.10.4, users may...