Cannot scan a local (unpushed) image for CVEs with Anchore Grype - workarounds

Question

Apparently it is not possible to perform a security scan for vulnerabilities in a Docker image using Anchore Grype unless that image was previously pushed to a registry.

This makes it currently unsuitable for gating your registry from vulnerable images, because an image can be pushed there and then - before your scan is complete - this infected image with some severe CVEs can be immediately pulled by an unsuspecting user (before the image gets withdrawn).

How to work around this problem?

To reproduce the problem

First docker build an image; do not push it to the registry.
Try to scan the locally available image with grype and you will get an error like this:

$ ./scan-with-grype-dockerized.sh mirekphd/ml-cache:20230726
[0000]  INFO grype version: 0.64.2
1 error occurred:
    * failed to catalog: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: GET https://index.docker.io/v2/mirekphd/ml-cache/manifests/20230726: MANIFEST_UNKNOWN: manifest unknown; unknown tag=20230726

mirekphd · Answer 1 · 2023-07-31T20:24:36.570

As a workaround, you may consider running grype as the root user (please test it on an image that wasn't previously pushed to the Docker Hub):

$ docker run --rm --name grype -u 0 -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest --only-fixed mirekphd/ml-cache:20230731 

NAME          INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY 
libcrypto1.1  1.1.1s-r0  1.1.1t-r0  apk   CVE-2022-4304  Medium    
libcrypto1.1  1.1.1s-r0  1.1.1t-r0  apk   CVE-2022-4450  High      
libcrypto1.1  1.1.1s-r0  1.1.1t-r0  apk   CVE-2023-0215  High      
libcrypto1.1  1.1.1s-r0  1.1.1t-r0  apk   CVE-2023-0286  High      
libcrypto1.1  1.1.1s-r0  1.1.1t-r1  apk   CVE-2023-0464  High      
libcrypto1.1  1.1.1s-r0  1.1.1t-r2  apk   CVE-2023-0465  Medium    
libcrypto1.1  1.1.1s-r0  1.1.1u-r0  apk   CVE-2023-2650  High      
libcrypto1.1  1.1.1s-r0  1.1.1u-r2  apk   CVE-2023-3446  Medium    
libssl1.1     1.1.1s-r0  1.1.1t-r0  apk   CVE-2022-4304  Medium    
libssl1.1     1.1.1s-r0  1.1.1t-r0  apk   CVE-2022-4450  High      
libssl1.1     1.1.1s-r0  1.1.1t-r0  apk   CVE-2023-0215  High      
libssl1.1     1.1.1s-r0  1.1.1t-r0  apk   CVE-2023-0286  High      
libssl1.1     1.1.1s-r0  1.1.1t-r1  apk   CVE-2023-0464  High      
libssl1.1     1.1.1s-r0  1.1.1t-r2  apk   CVE-2023-0465  Medium    
libssl1.1     1.1.1s-r0  1.1.1u-r0  apk   CVE-2023-2650  High      
libssl1.1     1.1.1s-r0  1.1.1u-r2  apk   CVE-2023-3446  Medium

Note: if you got Critical vulnerabilities above by not using the --only-fixed flag here, then be assured that they are relevant only for systems other than Alpine actually used in that image - one for Debian and one for... Windows, in a separate bug I've already reported to the developers.

score 0 · Answer 2 · answered Aug 06 '23 at 16:30

A safer and quite performant workaround is to use skopeo and its ability to copy unpushed local images (without the need to docker run them and the risk of altering them that docker save would impose) from the local Docker daemon (using the docker-daemon: prefix, note: no slashes there, unlike in the standard - remote registry - prefix of docker://) to copy the image in the OCI dir format to a temporary location, and then scan it there with grype using its oci-dir: prefix.

Cannot scan a local (unpushed) image for CVEs with Anchore Grype - workarounds

2 Answers2