Legacy Haven University

Tag: container security

  • Lab: Generating & Auditing SBOMs with Syft and Grype

    Master Software Supply Chain Visibility and Vulnerability Management

    You generate precise Software Bills of Materials and audit them for vulnerabilities. This hands-on lab builds production-grade skills using Syft for SBOM creation and Grype for accurate vulnerability scanning. Security teams rely on this exact workflow to satisfy compliance requirements, secure CI/CD pipelines, and mitigate software supply chain attacks.

    For broader context on third-party risk and supply chain auditing, read Third-Party Risk: Auditing Your Supply Chain.

    Objectives

    • Install Syft and Grype on your local system.
    • Generate SBOMs in multiple formats from container images and directories.
    • Scan SBOMs and live targets with Grype.
    • Interpret vulnerability reports and plan remediation.
    • Export artifacts for integration and reporting.

    Prerequisites

    • A Linux, macOS, or Windows machine with Docker or Podman installed and running.
    • Administrative access for tool installation.
    • Internet connection for downloading tools and updating vulnerability databases.
    • Basic comfort with terminal commands.

    Lab Environment Setup

    Prepare a clean workspace for consistent results.

    Create and navigate to a dedicated directory: mkdir ~/sbom-lab && cd ~/sbom-lab

    Pull a lightweight test image: docker pull alpine:latest

    You now possess everything required to complete the exercises on your home system.

    Step-by-Step Guide

    Step 1: Install Syft and Grype You install both tools via their official scripts for the fastest deployment.

    Execute these commands: curl -sSfL https://get.anchore.io/syft | sudo sh -s — -b /usr/local/bin curl -sSfL https://get.anchore.io/grype | sudo sh -s — -b /usr/local/bin

    Verify successful installation: syft version grype version

    Both tools automatically fetch the latest vulnerability database on first scan.

    Step 2: Generate an SBOM with Syft Syft catalogs packages from operating systems, programming languages, and package managers across multiple targets.

    Scan a container image and output in CycloneDX format: syft alpine:latest -o cyclonedx-json > alpine-sbom.cdx.json

    Scan your local project directory: syft . -o spdx-json > project-sbom.spdx.json

    Generate the lossless Syft JSON format for maximum fidelity with Grype: syft alpine:latest -o json > alpine-sbom.json

    Syft detects transitive dependencies and records exact versions, licenses, and origins. Experiment with different output formats to understand interoperability.

    Step 3: Audit the SBOM with Grype Grype matches SBOM contents against comprehensive vulnerability databases from multiple sources.

    Scan the generated SBOM: grype sbom:alpine-sbom.json

    Scan the container image directly: grype alpine:latest

    Pipe output for streamlined workflows: syft alpine:latest -o json | grype

    Grype surfaces severity levels, CVE identifiers, fix availability, and confidence scores. Review Critical and High severity items first.

    Step 4: Interpret Results and Export Reports Examine the output structure carefully:

    • Package name and version
    • Associated CVEs with severity
    • Fixed version recommendations
    • Vulnerability metadata

    Export results in structured formats: grype sbom:alpine-sbom.json -o json > vulnerabilities.json grype sbom:alpine-sbom.json -o table > vulnerabilities.txt grype sbom:alpine-sbom.json -o sarif > vulnerabilities.sarif

    SARIF format integrates directly with GitHub Security, GitLab, and other security platforms.

    Step 5: Advanced Operations and Best Practices Generate multiple formats in one command: syft alpine:latest -o cyclonedx-json=cdx.json -o spdx-json=spdx.json -o json=syft.json

    Create a custom configuration file .grype.yaml to ignore false positives or adjust severity thresholds.

    Test different base images (e.g., node:alpine, python:slim) to compare supply chain risk profiles.

    Integrate into CI/CD pipelines by adding these commands as automated gates. Store SBOMs alongside artifacts for long-term auditing and compliance evidence.

    Lab Validation

    Complete these checks to confirm mastery:

    1. Generate at least two SBOMs (one image, one directory).
    2. Scan both with Grype and identify at least one vulnerability.
    3. Export results in JSON and table formats.
    4. Compare vulnerability counts between a minimal image like Alpine and a fuller image.

    Document your findings in a short summary report.

    Key Takeaways

    Syft delivers comprehensive, accurate inventory. Grype converts that inventory into immediate, actionable security intelligence. Practitioners who master this workflow gain continuous visibility into software components and respond effectively to emerging threats. Apply these techniques consistently to strengthen your organization’s software supply chain security posture.

    Run this lab multiple times with different targets to internalize the commands and deepen your operational expertise.