Scan images in Kubernetes manifest(s)

[MPV]

What would you like to be added:

I’d like to be able to point Syft towards a file/folder of Kubernetes manifests and get results of CVEs etc for that/those images referred to in those manifests.

Why is this needed:

To make use of Syft for things I’m not building myself but still using. Also not running the scan at runtime but shifting left so I can see CVE differences etc in my PRs, Dependabot Alerts etc.

Additional context:

[tgerla]

Hi @MPV, thanks for the suggestion. Usually Syft only scans one image at a time and produces an SBOM for a particular image, as opposed to a set of images. Would it work for your use case if there was a higher-level script that extracted a list of images referred to in a Kubernetes manifest and then looped over each one with Syft to create a set of SBOMs?

[MPV]

Hi @MPV, thanks for the suggestion. Usually Syft only scans one image at a time and produces an SBOM for a particular image, as opposed to a set of images. Would it work for your use case if there was a higher-level script that extracted a list of images referred to in a Kubernetes manifest and then looped over each one with Syft to create a set of SBOMs?

@tgerla Yeah that also makes sense. I guess either solution also needs to be good (enough) at finding the image(s) from manifest(s).

Maybe there's something that's already good at that (and thus can just be combined with this), any ideas...? 🤔

[tgerla]

I thought the easiest way might be with a jq query on the JSON version of the Kubernetes manifest. Here is a prototype bash script that you might start with: https://gist.github.com/tgerla/3065156018f697e0040e80bee8fe7daf

I've only tested this on one single manifest (below the script in the gist) and I'm not really familiar with the manifest format, but this might be a good start! There might be a more "kubernetes-style" way to do this. Hope it is useful!