Plans to Support for scanning docker files
What are the plans to support Dockerfile scanning in FNCI v6
From initial tests scanning docker containers (using 6.x, on docker layer tarfiles), the scan results are incomplete. e.g. No inventory for baseOS layer (centos/rpm-based, no matches on libs/executables), and partial for other layers. Having inventory for the BaseOS layer is important because with container distribution model, the user-space OS components are now being distributed which has copyleft compliance implications (many user-space Linux components are under a copyleft license).
Scanning the Dockerfile would provide details of OSS dependencies at the source level, without requiring full image build/scan.
I have not tried using the v7 container plugin yet, so don't know if users are getting better results with the v7.
Thanks for the post. We are planning to add support for scanning Dockerfiles in a future release and reporting inventory.
To build the feature right, it would be good to know what you expect. At this point we are looking at reporting the below items
- Base Image
- Scan apt-get or yum statements and report packages (optional)
It would be great, if you can provide a sample Dockerfile you are using and what your expectation is.