Add OCI support + use URI schemes #160
Conversation
| The output format for Grype is configurable as well: | ||
| ``` | ||
| grype <image> -o json | ||
| grype <image> -o <format> |
There was a problem hiding this comment.
this is a great way to format the help
| # scan a directory | ||
| grype dir://path/to/dir | ||
| grype path/to/dir |
There was a problem hiding this comment.
I understand this has probably been discussed a lot, but I thought these changes were to put some order in the usage of schemes, not generalize them to be able to infer the destination. Specifically this line in the in this PR's subject:
TL;DR is :// is being replaced with : to fall in line with the URI RFC.
Automatically inferring is going to be problematic for integrations because it was the way to detect what the source type is (dir, tar, docker, etc..). If grype allows these inputs, then the integrations need to enforce a constraint, by either not allowing these free-styling of input, or separating input in the form of configuration.
That would mean that instead of these:
- name: Run directory Scan Action
uses: anchore/scan-action@v1
with:
source: "dir://tests/python"
- name: Run Image Scan Action
uses: anchore/scan-action@v1
with:
source: "alpine:3.12"The action would require prefixing the scheme or separating the options like this:
- name: Run directory Scan Action
uses: anchore/scan-action@v1
with:
dir-source: "tests/python"
- name: Run Image Scan Action
uses: anchore/scan-action@v1
with:
img-source: "alpine:3.12"There was a problem hiding this comment.
What prevents grype from inferring from generic input? That is, what prevents this:
- name: Run directory Scan Action
uses: anchore/scan-action@v1
with:
source: "tests/python"
- name: Run Image Scan Action
uses: anchore/scan-action@v1
with:
source: "alpine:3.12"
or more explicitly from the user:
- name: Run directory Scan Action
uses: anchore/scan-action@v1
with:
source: "dir:tests/python"
- name: Run Image Scan Action
uses: anchore/scan-action@v1
with:
source: "docker:alpine:3.12"
Which would be the same as grype options:
grype docker:alpine:3.12
grype alpine:3.12
grype dir:tests/python
grype tests/python
Is there something in particular with the integration that it requires knowledge of the source type?
There was a problem hiding this comment.
It isn't that there is something that prevents it. But the integration must know if the source is a path or an image for reporting.
Using dir:// explicitly as it is the current state, works well. The free-form doesn't allow to understand what the integration is dealing with.
There was a problem hiding this comment.
I think that implicit input from a user is OK here, as the user does not need to understand explicit schemes. Also this does not block extensions from enforcing explicit usage of schemes (either by prepending strings, string validation, or otherwise). I think your comments are quite notable, but mostly impact the integration implementation, not the CLI surface area on grype meant for the user.
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
11b9eb5 to
cbfe87d
Compare
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: <>
Signed-off-by: Alex Goodman <[email protected]>
Adds the ability to scan OCI images from tar archive or directory:
Also hinted in the example above, this PR incorporates changing the URL approach for specifying the source transport to a URI oriented approach (see anchore/stereoscope#41 PR description for more details). TL;DR is
://is being replaced with:to fall in line with the URI RFC.Lastly, migrates to using the stereoscope fixture utils instead of the functions from
go-testutils.Closes #157