feat(oci): add support OCI tarballs

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

https://aquasecurity.github.io/trivy

Apache License 2.0

23k stars 2.27k forks source link

feat(oci): add support OCI tarballs #5775

Open DmitriyLewen opened 9 months ago

DmitriyLewen commented 9 months ago

Description

Buildx supports creating OCI images - https://docs.docker.com/build/exporters/oci-docker/ By default, images are compressed into tar archives. So we need to add support for scanning OCI tar images.

Discussed in https://github.com/aquasecurity/trivy/discussions/5135

knqyf263 commented 9 months ago

I'm not sure we want to add support for it. Users just need untar.

jemag commented 9 months ago

I think this would be nice to have given that this is the default output and that thousands might be using it with Trivy in their CI/CD pipelines.

It might also avoid bug reports in the future, since the current pre-buildkit v.0.12.x were working, and it will stop working as users migrate to v.0.12.x+, without OCI tarball support.

fiskhest commented 2 months ago

Just ran into this when trying to hook up a remote buildkit setup with trivy inside CI/CD. For reasons, I cannot use the local docker.sock nor do I want to land at a registry before running trivy. Annoying, when many other popular tools default to the opposite behavior (in my case docker buildx bake "--set=*.output=type=oci,dest=image.oci" through a remote builder instance)