Scanning a Container from a Public Registry or Private Registry

Example 1: Valhalla Image

Container URL: ghcr.io/gis-ops/docker-valhalla/valhalla

This is the container we are looking at. This might not be the exact branch you are using, but I just grabbed the latest.

valhalla/valhalla:run-latest

Here is a sample command:

manifest-cli sbom valhalla/valhalla:run-latest -f valhallanew -n "Valhalla Image" --publish -k $your_api_token_key

Note: Ensure that you include that tag in the container image name. Setting the image name like below will not work for this image
manifest-cli sbom valhalla:valhalla

Note: To automatically upload the SBOM to the Manifest Platform, add the following flag to any Manifest-CLI Command:

--publish -k $your_api_token_key

Example 2: PostGIS Alpine 17 Image

Container Image:
postgis/postgis:17-3.5-alpine

Here is a sample command with the Manifest-CLI:

manifest-cli sbom postgis/postgis:17-3.5-alpine -f postgisalpine17image -n postgisalpine17image --publish -k $your_api_token_key

If you are on an ARM or Apple Silicon computer:

manifest-cli sbom postgis/postgis:17-3.5-alpine -f postgisalpinesyft -n postgisalpinesyft -- --platform=linux/amd64 --publish -k $your_api_token_key

Explanations:

• -f sets the filename for the local file
• -n sets the name of the SBOM that will show up in the UI
• "--" allows you to set an additional argument. I am running on an ARM machine so I had to use this platform pass through so that the SBOM generator could even be allowed to pull the image.

Scanning a container from the container archive

To get an example tar file, run the following docker command:

docker pull valhalla/valhalla:run-latest
docker save valhalla/valhalla:run-latest -o valhalladockersave

This will save a tar file to the directory you are in. You can then run the following command on that file

Sample Manifest-CLI Command:

manifest-cli sbom valhalladockersave -f containerfromtar_sbom.json -n "Image from Tar: Valhalla" --publish -k $your_api_token_key

Note: This command still works even if there is no .tar extension, just put the input file into the command as how it is named.

You might also be scanning a container from a SquashFS archive. Please see the Manifest SquashFS documentation for instructions on scanning that.

Scanning a container during a build process with pushing to ECR as an example

When pushing images to ECR from source code, you generally are using a build script to build the image and then push it to ECR. Generating the SBOM for the container ideally happens right after the build command.

Here is an example dockerfile, that uses valhalla as the base:

#Pull the base image
FROM valhalla/valhalla:run-latest

# Lets show we actually modified the container
RUN echo "Built on top of valhalla base" > /manifest-test.txt

Here is an example build script that will do the following

1. Set variables
2. Build the docker image
3. Generate an SBOM that automatically gets sent to the Manifest Platform

#!/bin/bash

set -e

#Set values
#your_api_token_key="your_api_key" #Just for example. Avoid hardcording secrets.
IMAGE_TAG="test_image"
DOCKERFILE="Dockerfile"

#Build the image
echo "Building Image: $IMAGE_TAG"
docker build -f $DOCKERFILE -t $IMAGE_TAG .
echo "Completed $IMAGE_TAG Image Build"

#Generate the SBOM
echo "Generating the SBOM"
manifest-cli sbom ${IMAGE_TAG}:latest -f "buildscript_${IMAGE_TAG}_latest" -n buildscript_${IMAGE_TAG}_latest --publish -k $your_api_token_key

We can run the script and the SBOM will automatically show up in Manifest.

We always want to make sure that we add the appropriate labels and product to these CLI commands. That way we can know what CICD Pipeline the SBOM came from.

Labels: These can be helpful just purely for identification, filtering, and context.

Products: These are really helpful for any group or combination of containers (or any group of SBOMs) that you know you receive compliance questions about. If you get SBOM requests for any "groups" of software that make up a single product, or a set of software that is delivered to a specific program - Then place all of those in a specific product. Then in that product, you can just export reports and a fully merged SBOM to directly answer those questions and save your team time.