Grype docker image on dockerhub has no shell commands available to be able to keep it alive for Jenkins exec into scan with it - please add busybox at least

[HariSekhon]

What happened:

I'm running Jenkins on Kubernetes and am trying to include the grype docker image into the jenkins pod, for which I usually use a simple command like cat to keep the docker container alive so that Jenkins pipelines can exec into the container and run the command to do a scan or build or whatever.

I've found that the grype docker image is so stripped down, it doesn't even have busybox to be able to do this.

I've used this pattern successfully with Trivy before (the Trivy docker image contains busybox) and am now trying to do exactly the same thing with Grype:

    # https://hub.docker.com/r/anchore/grype
    - name: grype
      #image: anchore/grype:v0.61.1
      image: anchore/grype:latest
      imagePullPolicy: Always
      command:
        - cat
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375  # XXX: needs the docker dind container near the top
      tty: true
      resources:
        requests:
          cpu: 300m
          memory: 300Mi
        limits:
          cpu: '1'
          memory: 1Gi

My production pod yaml looks very similar to this:

https://github.com/HariSekhon/Kubernetes-configs/blob/master/jenkins/base/jenkins-agent-pod.yaml

What you expected to happen:

I expected the cat command to succeed and keep the container alive so that Jenkins could exec into it to run a scan.

How to reproduce it (as minimally and precisely as possible):

$ docker run -ti --entrypoint cat anchore/grype 
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "cat": executable file not found in $PATH: unknown.

Anything else we need to know?:

Environment:

• Output of grype version:
• OS (e.g: cat /etc/os-release or similar):

$ docker run -ti anchore/grype version
Application:          grype
Version:              0.61.1
Syft Version:         v0.79.0
BuildDate:            2023-04-21T17:11:07Z
GitCommit:            3caabc87114a3e0cbfbac7770989bc81e2f5a957
GitDescription:       v0.61.1
Platform:             linux/amd64
GoVersion:            go1.19.8
Compiler:             gc
Supported DB Schema:  5

[HariSekhon]

I've worked around this by just downloading Grype on each Jenkins CI/CD pipeline run as per:

https://github.com/HariSekhon/Jenkins/blob/master/vars/downloadGrype.groovy

and then running it:

https://github.com/HariSekhon/Jenkins/blob/master/vars/grype.groovy

[tgerla]

Hi @HariSekhon, thanks for the question. For Syft (not Grype, yet), we are building some separate container images tagged "-debug" that include tools like cat. We could probably do the same thing with the Grype images. We'll put this in the backlog.

If you'd like to take a look and maybe submit a pull request on the Grype side, here is the patch that adds the -debug images for Syft which should be pretty easy to adapt for Grype: anchore/syft#1106 -- feel free to join our Slack if you want to take this on, and we can help. (https://get.anchore.com/join-anchore-community/)

[spiffcs]

👋 @HariSekhon

Grype provides this functionality where we have debug images released with the shell enabled:
https://github.com/anchore/grype/blob/main/Dockerfile.debug

Let me know if this image works for you. Here are some commands that show the shell is available:

docker run --name grypeTest -d -i -t docker.io/anchore/grype:v0.62.3-debug /bin/busybox
docker exec -it grypeTest sh
/tmp # _

Closing this issue for now given there is an image that exists:

anchore/grype:debug

If you need help or the shell is still incompatible when supplying that image to your yaml let me know and I can reopen and take a more in depth look =)