Allow creation of SBOM in ACR by using 'docker sbom'

[davidguidali]

What is the problem you're trying to solve We use ACR to build our images in our CI pipeline. Additionally, we want to generate SBOM files. We tried to execute the following command:

az acr run --registry myregistry --cmd 'docker sbom myimage' /dev/null

However, we get an error:

2023/12/19 15:18:53 Executing step ID: acb_step_0. Timeout(sec): 600, Working directory: '', Network: 'acb_default_network'
2023/12/19 15:18:53 Launching container with name: acb_step_0
/usr/local/bin/docker-entrypoint.sh: line 20: exec: sbom: not found

Describe the solution you'd like It would be nice to be able to create SBOM from images in the ACR without the need to pull them.

Additional context Other commands like 'docker inspect' work flawlessly.

[pwalecha]

@davidguidali, Can you try below CLI command? You can refer other SBOM generation CLI tools like Trivy as well, given example is for Syft which is also used by docker for now, per their documentation. az acr run --registry --cmd 'docker.io/anchore/syft myimage' /dev/null

[davidguidali]

@davidguidali, Can you try below CLI command? You can refer other SBOM generation CLI tools like Trivy as well, given example is for Syft which is also used by docker for now, per their documentation. az acr run --registry --cmd 'docker.io/anchore/syft myimage' /dev/null

Cool thanks, that works! I did:

az acr run --registry myregistry --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json' /dev/null

However, I'm a little bit confused, how does the syft container know about 'myimage'`? Does he pull it? And if so, how does he get the credentials to pull it?

[pwalecha]

@davidguidali, Can you try below CLI command? You can refer other SBOM generation CLI tools like Trivy as well, given example is for Syft which is also used by docker for now, per their documentation. az acr run --registry --cmd 'docker.io/anchore/syft myimage' /dev/null

Cool thanks, that works! I did:

az acr run --registry myregistry --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json' /dev/null

However, I'm a little bit confused, how does the syft container know about 'myimage'`? Does he pull it? And if so, how does he get the credentials to pull it?

Syft image is pulled within the container post the registry login is successful. Then, the ACR task uses the downloaded Syft CLI to execute the command over the authenticated registry's referred image.

[davidguidali]

Yeah I got this part, but doesnt the Syft CLI run within the Syft container? So how does this syft container know about the ACR? I mean, if I am within a container usually I don't know anything about the environment where its running on, so is configuration somehow magically mounted into the Syft container? So how does the syft cli within the container know the credentials of the ACR?

[sajayantony]

maybe @northtyphoon or @juliusl know more. But might be because the syft CLI is able to pick up the docker creds from the home mount - https://github.com/Azure/acr-builder/blob/18cda98fd073203ca070835bc04e4672eef31ee0/builder/context.go#L91C11-L91C11

[yizha1]

@davidguidali Do you still have questions on this issue? I would like to understand more about your scenarios. Feel free to contact me by mail at yizha1@microsoft.com if you want to have further discussions.

[davidguidali]

@davidguidali Do you still have questions on this issue? I would like to understand more about your scenarios. Feel free to contact me by mail at yizha1@microsoft.com if you want to have further discussions.

Hi @yizha1 Thanks. I'm still not 100% sure how syft CLI is able to the docker CLI from within the container without explicitly mounting some sockets etc. (or use docker in docker), or does syft CLI not need to access docker explicitly to scan images? However, since my solution works, these questions are based more on my personal curiosity and not that important. :)

For the scenario: We have a CI/CD pipeline in GitLab where we use multiple Linux runners to build our code, run tests etc. However, none of these runners have docker installed. Instead, we build our images using az acr build. Now we want to create SBOM files for our images and upload them to our instance of Dependency Track. However, we tried to find a solution where we don't need to install Docker or Syft on our agents, so we thought it would be nice to just be able to create the SBOM files by using the ACR capabilities. We solved it now by calling az acr run --registry myregistry --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json' /dev/null, parsing the resulting output, extracting the SBOM Json and storing it as a file. Works like a charm so far.

[northtyphoon]

The containers launched in cmd (eg, docker.io/anchore/syft in your case --cmd 'docker.io/anchore/syft myregistry/myimage -o cyclonedx-json') automatically have docker daemon socket mounted.

[yizha1]

@davidguidali Did previous comment answer your question? Feel free to drop me a mail if you would like to discuss more about SBOM, and other secure supply chain related artifacts or solutions. Here is Containers Secure Supply Chain Framework document you may be interested in. Thanks.

[davidguidali]

@davidguidali Did previous comment answer your question? Feel free to drop me a mail if you would like to discuss more about SBOM, and other secure supply chain related artifacts or solutions. Here is Containers Secure Supply Chain Framework document you may be interested in. Thanks.

Yes thanks, everything is clear now. However, it would be useful to use "docker sbom" directly, so I guess the feature request stays valid.