Docker Image Scan with SYFT

As we move toward the Zero-Trust model for Infosecurity, concern over application-level security deployed on containers is raised by the security experts. Recently, a vulnerability CVE-2022-0811 identified in the CRI container runtime engine has turned this fact into reality.

For those who are not aware, as per CrowdStrike, when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster. Read more about this here,

Docker provides a default in-built docker scan plugin to scan images directly from the registries.

Docker Scan Plugin

If your host doesn’t have scan plugin installed by default, you may install it from the preferred package-manager utility of your environment. Once installed you can login to your remote repo and provide the image name of your container.

[centos@centos7 ~]$ docker scan centos

Testing centos...

✗ Low severity vulnerability found in vim-minimal
  Description: NULL Pointer Dereference
  Introduced through: vim-minimal@2:8.0.1763-15.el8
  From: vim-minimal@2:8.0.1763-15.el8

✗ Low severity vulnerability found in vim-minimal
  Description: Use After Free
  Introduced through: vim-minimal@2:8.0.1763-15.el8
  From: vim-minimal@2:8.0.1763-15.el8
Package manager:   rpm
Project name:      docker-image|centos
Docker image:      centos
Platform:          linux/amd64
Base image:        centos:centos8.4.2105

Tested 180 dependencies for known vulnerabilities, found 298 vulnerabilities.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at


SYFT developed by Anchore, provides the CLI based utility work with Docker scan plugin, and provide the list of dependencies used as part of image build in SBOM or Software Bill of Materials.

Let me share the installation and use of SYFT with the Docker container runtime engine.

Installation of SYFT

To use SYFT in our environment, we first need to get SYFT software from the official git branch.

[root@centos7 ~]# curl -sSfL | sh -s -- -b /usr/local/bin
[info] [0m fetching release script for tag='v0.44.1' 

[info] [0m using release tag='v0.44.1' version='0.44.1' os='linux' arch='amd64' 

[info] [0m installed /usr/local/bin/syft


To test the SYFT, we can use call SYFT binary file and provide the container image to be scanned. Below example, I ran it for the CentOS latest image.

[root@centos7 bin]# /usr/local/bin/syft centos
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [183 packages]
NAME                         VERSION                          TYPE
acl                          2.2.53-1.el8                     rpm
audit-libs                   3.0-0.17.20191104git1c2f876.el8  rpm
basesystem                   11-5.el8                         rpm
bash                         4.4.19-14.el8                    rpm
bind-export-libs             32:9.11.26-3.el8                 rpm
binutils                     2.30-93.el8                      rpm
bzip2-libs                   1.0.6-26.el8                     rpm
ca-certificates              2020.2.41-80.0.el8_2             rpm
centos-gpg-keys              1:8-2.el8                        rpm
centos-linux-release         8.4-1.2105.el8                   rpm
centos-linux-repos           8-2.el8                          rpm
chkconfig                    1.13-2.el8                       rpm
coreutils-single             8.30-8.el8                       rpm
cpio                         2.12-10.el8                      rpm
cracklib                     2.9.6-15.el8                     rpm
cracklib-dicts               2.9.6-15.el8                     rpm
crypto-policies              20210209-1.gitbfb6bed.el8_3      rpm
cryptsetup-libs              2.3.3-4.el8                      rpm
curl                         7.61.1-18.el8                    rpm
cyrus-sasl-lib               2.1.27-5.el8                     rpm
dbus                         1:1.12.8-12.el8                  rpm
device-mapper                8:1.02.175-5.el8                 rpm
device-mapper-libs           8:1.02.175-5.el8                 rpm
dhcp-client                  12:4.3.6-44.0.1.el8              rpm
dhcp-common                  12:4.3.6-44.0.1.el8              rpm
dhcp-libs                    12:4.3.6-44.0.1.el8              rpm
dnf                          4.4.2-11.el8                     rpm
dnf-data                     4.4.2-11.el8                     rpm
dracut                       049-135.git20210121.el8          rpm
dracut-network               049-135.git20210121.el8          rpm
dracut-squash                049-135.git20210121.el8          rpm
elfutils-default-yama-scope  0.182-3.el8                      rpm
elfutils-libelf              0.182-3.el8                      rpm
elfutils-libs                0.182-3.el8                      rpm
ethtool                      2:5.8-5.el8                      rpm
expat                        2.2.5-4.el8                      rpm
file-libs                    5.33-16.el8_3.1                  rpm
filesystem                   3.8-3.el8                        rpm
findutils                    1:4.6.0-20.el8                   rpm
gawk                         4.2.1-2.el8                      rpm
gdbm                         1:1.18-1.el8                     rpm
gdbm-libs                    1:1.18-1.el8                     rpm
glib2                        2.56.4-9.el8                     rpm
glibc                        2.28-151.el8                     rpm
glibc-common                 2.28-151.el8                     rpm
glibc-minimal-langpack       2.28-151.el8                     rpm
gmp                          1:6.1.2-10.el8                   rpm
gnupg2                       2.2.20-2.el8                     rpm
gnutls                       3.6.14-7.el8_3                   rpm
gpg                          1.13.1                           python
gpgme                        1.13.1-7.el8                     rpm
grep                         3.1-6.el8                        rpm
gzip                         1.9-12.el8                       rpm
hostname                     3.20-6.el8                       rpm
hwdata                       0.314-8.8.el8                    rpm
ima-evm-utils                1.3.2-12.el8                     rpm
info                         6.5-6.el8                        rpm
ipcalc                       0.2.4-4.el8                      rpm
iproute                      5.9.0-4.el8                      rpm
iptables-libs                1.8.4-17.el8                     rpm
iputils                      20180629-7.el8                   rpm
json-c                       0.13.1-0.4.el8                   rpm
kexec-tools                  2.0.20-46.el8                    rpm
keyutils-libs                1.5.10-6.el8                     rpm
kmod                         25-17.el8                        rpm
kmod-libs                    25-17.el8                        rpm
krb5-libs                    1.18.2-8.el8                     rpm
langpacks-en                 1.0-12.el8                       rpm
less                         530-1.el8                        rpm
libacl                       2.2.53-1.el8                     rpm
libarchive                   3.3.3-1.el8                      rpm
libassuan                    2.5.1-3.el8                      rpm
libattr                      2.4.48-3.el8                     rpm
libblkid                     2.32.1-27.el8                    rpm
libcap                       2.26-4.el8                       rpm
libcap-ng                    0.7.9-5.el8                      rpm
libcom_err                   1.45.6-1.el8                     rpm
libcomps                     0.1.11-5.el8                     rpm
libcurl-minimal              7.61.1-18.el8                    rpm
libdb                        5.3.28-40.el8                    rpm
libdb-utils                  5.3.28-40.el8                    rpm
libdnf                       0.55.0-7.el8                     rpm
libfdisk                     2.32.1-27.el8                    rpm
libffi                       3.1-22.el8                       rpm
libgcc                       8.4.1-1.el8                      rpm
libgcrypt                    1.8.5-4.el8                      rpm
libgpg-error                 1.31-1.el8                       rpm
libibverbs                   32.0-4.el8                       rpm
libidn2                      2.2.0-1.el8                      rpm
libkcapi                     1.2.0-2.el8                      rpm
libkcapi-hmaccalc            1.2.0-2.el8                      rpm
libksba                      1.3.5-7.el8                      rpm
libmetalink                  0.1.3-7.el8                      rpm
lzo                          2.08-14.el8                      rpm
mpfr                         3.1.6-1.el8                      rpm
ncurses-base                 6.1-7.20180224.el8               rpm
ncurses-libs                 6.1-7.20180224.el8               rpm
nettle                       3.4.1-2.el8                      rpm
npth                         1.5-4.el8                        rpm
openldap                     2.4.46-16.el8                    rpm
openssl-libs                 1:1.1.1g-15.el8_3                rpm
p11-kit                      0.23.22-1.el8                    rpm
p11-kit-trust                0.23.22-1.el8                    rpm
pam                          1.3.1-14.el8                     rpm
pciutils                     3.7.0-1.el8                      rpm
pciutils-libs                3.7.0-1.el8                      rpm
pcre                         8.42-4.el8                       rpm
pcre2                        10.32-2.el8                      rpm
platform-python              3.6.8-37.el8                     rpm
platform-python-setuptools   39.2.0-6.el8                     rpm
popt                         1.18-1.el8                       rpm
procps-ng                    3.3.15-6.el8                     rpm
python3-dnf                  4.4.2-11.el8                     rpm
python3-libs                 3.6.8-37.el8                     rpm
python3-pip-wheel            9.0.3-19.el8                     rpm
python3-rpm                  4.14.3-13.el8                    rpm
python3-setuptools-wheel     39.2.0-6.el8                     rpm
rdma-core                    32.0-4.el8                       rpm
readline                     7.0-10.el8                       rpm
rootfiles                    8.1-22.el8                       rpm
rpm                          4.14.3                           python
rpm                          4.14.3-13.el8                    rpm
rpm-build-libs               4.14.3-13.el8                    rpm
rpm-libs                     4.14.3-13.el8                    rpm
sed                          4.5-2.el8                        rpm
setup                        2.12.2-6.el8                     rpm
setuptools                   39.2.0                           python
shadow-utils                 2:4.6-12.el8                     rpm
snappy                       1.1.8-3.el8                      rpm
sqlite-libs                  3.26.0-13.el8                    rpm
squashfs-tools               4.3-20.el8                       rpm
systemd                      239-45.el8                       rpm
systemd-libs                 239-45.el8                       rpm
systemd-pam                  239-45.el8                       rpm
systemd-udev                 239-45.el8                       rpm
tar                          2:1.30-5.el8                     rpm
tpm2-tss                     2.3.2-3.el8                      rpm
tzdata                       2021a-1.el8                      rpm
util-linux                   2.32.1-27.el8                    rpm
vim-minimal                  2:8.0.1763-15.el8                rpm
xz                           5.2.4-3.el8                      rpm
xz-libs                      5.2.4-3.el8                      rpm
yum                          4.4.2-11.el8                     rpm
zlib                         1.2.11-17.el8                    rpm

Docker SBOM (Under Development) with SYFT

Excerpts from “The experimental docker sbom command allows you to generate the SBOM of a container image. Today, it does this by scanning the layers of the image using the Syft project but in the future, it may read the SBOM from the image itself or elsewhere.”

$ docker sbom centos
Syft v0.43.0

✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [183 packages]
NAME                         VERSION                          TYPE
acl                          2.2.53-1.el8                     rpm
audit-libs                   3.0-0.17.20191104git1c2f876.el8  rpm


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s