I'm building the following Docker image for redis. Since it's a multi-stage and I'm using the distroless static image as the final layer, I'm basically compiling the redis statically and then copying over the binaries.
However, when I run syft <image> --scope all-layers; I do not see the redis binary in the SBOM.
Am I missing something here?
# Stage 1: Build Redis as a fully static binary
FROM alpine:latest AS builder
WORKDIR /usr/src/redis
# Install dependencies for static build (including OpenSSL for TLS)
RUN apk add --no-cache build-base linux-headers musl-dev wget \
openssl-dev openssl-libs-static iputils-ping busybox bash
# Download and compile Redis with static linking and TLS-enabled for amd64
ARG REDIS_VERSION=7.4.2
RUN wget ${REDIS_VERSION}.tar.gz && \
tar xzf redis-${REDIS_VERSION}.tar.gz && \
cd redis-${REDIS_VERSION} && \
make LDFLAGS="-static -L/usr/lib -lssl -lcrypto" CFLAGS="-march=x86-64" BUILD_TLS=yes
# Stage 2: Copy static binaries to distroless
FROM gcr.io/distroless/static-debian12
# Set working directory
WORKDIR /data
# Copy Redis binaries
COPY --from=builder /usr/src/redis/redis-7.4.2/src/redis-server /usr/local/bin/redis-server
COPY --from=builder /usr/src/redis/redis-7.4.2/src/redis-cli /usr/local/bin/redis-cli
# Expose Redis port
EXPOSE 6379
EXPOSE 16379
# Run Redis
ENTRYPOINT ["/usr/local/bin/redis-server"]
Output of syft scan
This is all I see
syft scan test:latest
✔ Loaded image test:latest
✔ Parsed image
✔ Cataloged contents
├── ✔ Packages [0 packages]
├── ✔ File digests [2 files]
├── ✔ File metadata [2 locations]
└── ✔ Executables [11 executables]
NAME VERSION TYPE
I'm building the following Docker image for redis. Since it's a multi-stage and I'm using the distroless static image as the final layer, I'm basically compiling the redis statically and then copying over the binaries.
However, when I run syft <image> --scope all-layers; I do not see the redis binary in the SBOM.
Am I missing something here?
# Stage 1: Build Redis as a fully static binary
FROM alpine:latest AS builder
WORKDIR /usr/src/redis
# Install dependencies for static build (including OpenSSL for TLS)
RUN apk add --no-cache build-base linux-headers musl-dev wget \
openssl-dev openssl-libs-static iputils-ping busybox bash
# Download and compile Redis with static linking and TLS-enabled for amd64
ARG REDIS_VERSION=7.4.2
RUN wget http://download.redis.io/releases/redis-${REDIS_VERSION}.tar.gz && \
tar xzf redis-${REDIS_VERSION}.tar.gz && \
cd redis-${REDIS_VERSION} && \
make LDFLAGS="-static -L/usr/lib -lssl -lcrypto" CFLAGS="-march=x86-64" BUILD_TLS=yes
# Stage 2: Copy static binaries to distroless
FROM gcr.io/distroless/static-debian12
# Set working directory
WORKDIR /data
# Copy Redis binaries
COPY --from=builder /usr/src/redis/redis-7.4.2/src/redis-server /usr/local/bin/redis-server
COPY --from=builder /usr/src/redis/redis-7.4.2/src/redis-cli /usr/local/bin/redis-cli
# Expose Redis port
EXPOSE 6379
EXPOSE 16379
# Run Redis
ENTRYPOINT ["/usr/local/bin/redis-server"]
Output of syft scan
This is all I see
syft scan test:latest
✔ Loaded image test:latest
✔ Parsed image
✔ Cataloged contents
├── ✔ Packages [0 packages]
├── ✔ File digests [2 files]
├── ✔ File metadata [2 locations]
└── ✔ Executables [11 executables]
NAME VERSION TYPE
- some logs? you know to say what part actually worked? – avifen Commented Mar 3 at 20:17
- Updated my response with the output – user782400 Commented Mar 3 at 20:25
1 Answer
Reset to default 0It's working here with your configuration:
I just ran docker build . --platform linux/amd64 I got an image on my ARM Mac.
docker image list
REPOSITORY TAG. IMAGE ID CREATED SIZE
<none> <none> 8394447e8084 4 minutes ago 59.6MB
syft scan 8394447e8084 --scope all-layers
✔ Loaded image 8394447e8084
✔ Parsed image sha256:8394447e80846d52d7047063a7b5c47ff2a1795e5baeda03d3fb6362a99f9f94
✔ Cataloged contents 655512525c2ef2fe56e4890d9acd5852ea5729901fb1a99abcccd88c6bccae60
├── ✔ Packages [4 packages]
├── ✔ File digests [943 files]
├── ✔ File metadata [943 locations]
└── ✔ Executables [2 executables]
NAME VERSION TYPE
base-files 12.4+deb12u10 deb
netbase 6.4 deb
redis 7.4.2 binary
tzdata 2025a-0+deb12u1 deb
Are you using an old version of Syft? The latest is v1.21.0.
Do you have a syft configuration file that is overriding the defaults? (I am not)
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745106954a4611615.html
评论列表(0条)