From f180eaee3dc1ae1f1f9743560b8c7caa803dcafe Mon Sep 17 00:00:00 2001 From: Blaize Kaye Date: Thu, 26 Feb 2026 13:45:16 +1300 Subject: [PATCH 1/3] Replaces trivy with syft for sbom generation --- insights-scanner/Dockerfile | 13 +++---------- insights-scanner/insights-scan.sh | 6 ++---- 2 files changed, 5 insertions(+), 14 deletions(-) diff --git a/insights-scanner/Dockerfile b/insights-scanner/Dockerfile index e01593f5..ae30de73 100644 --- a/insights-scanner/Dockerfile +++ b/insights-scanner/Dockerfile @@ -2,7 +2,8 @@ ARG UPSTREAM_REPO ARG UPSTREAM_TAG ARG GO_VER FROM ${UPSTREAM_REPO:-uselagoon}/commons:${UPSTREAM_TAG:-latest} AS commons -FROM aquasec/trivy:0.68.2 AS trivy +FROM anchore/syft AS syft + FROM docker:28.5.2 @@ -38,15 +39,7 @@ RUN architecture=$(case $(uname -m) in x86_64 | amd64) echo "amd64" ;; aarch64 | && curl -Lo /usr/bin/kubectl https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/${architecture}/kubectl \ && chmod +x /usr/bin/kubectl -COPY --from=trivy /usr/local/bin/trivy /usr/local/bin/trivy - -# Here we want to pull the trivy java DB -# This needs to be rebuilt daily, since we would like to be able to avoid pulling the javaDB on every scan -# This will increase the overall size of the -ENV TRIVY_CACHE_DIR=/ - -RUN trivy image --cache-dir ${TRIVY_CACHE_DIR} --download-db-only && \ - trivy image --cache-dir ${TRIVY_CACHE_DIR} --download-java-db-only +COPY --from=syft /syft /usr/local/bin/syft WORKDIR /app diff --git a/insights-scanner/insights-scan.sh b/insights-scanner/insights-scan.sh index 164d1651..b91bdac5 100644 --- a/insights-scanner/insights-scan.sh +++ b/insights-scanner/insights-scan.sh @@ -62,12 +62,10 @@ processImageInspect() { processImageInspect -echo "Running sbom scan using trivy" +echo "Running sbom scan using syft" echo "Image being scanned: ${IMAGE_FULL}" -# Setting JAVAOPT to skip the java db update, as the upstream image comes with a pre-populated database -JAVAOPT="--skip-java-db-update" -trivy image ${JAVAOPT} ${IMAGE_FULL} --format ${SBOM_OUTPUT} --skip-version-check | gzip > ${SBOM_OUTPUT_FILE} +syft -o cyclonedx-json ${IMAGE_FULL} | gzip > ${SBOM_OUTPUT_FILE} FILESIZE=$(stat -c%s "$SBOM_OUTPUT_FILE") echo "Size of ${SBOM_OUTPUT_FILE} = $FILESIZE bytes." From e9e5d734aa3f28eb905fae34a7bf8c3cdc8f66c3 Mon Sep 17 00:00:00 2001 From: Blaize Kaye Date: Thu, 26 Feb 2026 14:16:44 +1300 Subject: [PATCH 2/3] Updates renovate.json and pins syft image --- insights-scanner/Dockerfile | 2 +- renovate.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/insights-scanner/Dockerfile b/insights-scanner/Dockerfile index ae30de73..9c77fd51 100644 --- a/insights-scanner/Dockerfile +++ b/insights-scanner/Dockerfile @@ -2,7 +2,7 @@ ARG UPSTREAM_REPO ARG UPSTREAM_TAG ARG GO_VER FROM ${UPSTREAM_REPO:-uselagoon}/commons:${UPSTREAM_TAG:-latest} AS commons -FROM anchore/syft AS syft +FROM anchore/syft:v1.42.1 AS syft FROM docker:28.5.2 diff --git a/renovate.json b/renovate.json index a33cc9a6..661367a0 100644 --- a/renovate.json +++ b/renovate.json @@ -58,7 +58,7 @@ "patch" ], "matchPackageNames": [ - "aquasec/trivy", + "anchore/syft", "docker" ] } From f57f0e450d51c0eb91ce1bd1d0f8f42fbfd0a2fa Mon Sep 17 00:00:00 2001 From: Blaize Kaye Date: Fri, 27 Feb 2026 07:45:22 +1300 Subject: [PATCH 3/3] Removes build schedule for image scanner --- .github/workflows/insights-scanner-image.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/insights-scanner-image.yaml b/.github/workflows/insights-scanner-image.yaml index 12b3ff9b..7734973f 100644 --- a/.github/workflows/insights-scanner-image.yaml +++ b/.github/workflows/insights-scanner-image.yaml @@ -1,8 +1,6 @@ name: Publish insights-scanner image on: - schedule: - - cron: "1 0 * * *" push: branches: - 'main'