Scanning Ubuntu Chiseled Images Now Supported #4739
Replies: 3 comments
-
Hi @mthalman It is an essential addition, particularly for us. I have thoroughly tested the Ubuntu Chiseled images in our test environment, and it seems that the SBOM functionality is working flawlessly. The results far surpass those of the regular jammy images, making a significant improvement. Thank you once again for your efforts. Image: mcr.microsoft.com/dotnet/nightly/aspnet:7.0-jammy-chiseled-amd64 |
Beta Was this translation helpful? Give feedback.
-
Hi @mthalman The outputs look to be really good. Even better to see the runtime-deps image have just the 7 packages in my SBOM output! Great work getting it so small |
Beta Was this translation helpful? Give feedback.
-
Indeed! Great to see that we could now look at the details of the packages with syft mcr.microsoft.com/dotnet/runtime-deps:8.0-jammy-chiseled
Thanks for that! |
Beta Was this translation helpful? Give feedback.
-
Scanning Ubuntu Chiseled Images Now Supported
We've worked with our partners at Canonical to provide a scanning solution for Ubuntu Chiseled images. Scanning support is the last step before fully supporting Ubuntu Chiseled images in production.
Scanning tools typically examine Linux package databases located in the container file system in order to determine which packages are installed. These tools didn't work for Ubuntu Chiseled images because the package databases were removed as part of the chiseling process.
Our solution generates a dpkg status file that's stored in the image. This file is a common format known by scanning tools and describes the packages (technically, they're slices) that are installed.
We've published updated Chiseled images that support scanning:
mcr.microsoft.com/dotnet/<image-type>:8.0-preview-jammy-chiseled
mcr.microsoft.com/dotnet/nightly/<image-type>:6.0-jammy-chiseled
mcr.microsoft.com/dotnet/nightly/<image-type>:7.0-jammy-chiseled
Note: These images are intended for testing. We'll publish an announcement when the Ubuntu Chiseled images are supported in production.
We understand that auditing container images is an important pre-requisite to consuming these images. Installed package information is necessary for vulnerability scanning and SBOM production. Please try out these images and scan them with your favorite tool and let us know your results.
Beta Was this translation helpful? Give feedback.
All reactions