Analyze Docker Image (Command Line)

In this tutorial, you will learn by example how to use ScanCode.io to analyze a test Docker image by following the steps below and, along the way, learn some of the ScanCode.io basic commands.

Note

This tutorial assumes you have a recent version of ScanCode.io installed locally on your machine and running with Docker. If you do not have it installed, see our Installation guide for instructions.

Requirements

To successfully complete this tutorial, you first need to:

  • Install ScanCode.io locally

  • Have Shell access on the machine where ScanCode.io is installed

Instructions

  • Create a new directory in your home directory that will be used to put the input code to be scanned.

$ mkdir -p ~/codedrop/
$ curl https://github.com/nexB/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar --output ~/codedrop/30-alpine-nickolashkraus-staticbox-latest.tar
  • Create an alias to the scanpipe command executed through the docker compose command line interface with:

$ alias scanpipe="docker compose -f ${PWD}/docker-compose.yml run --volume ~/codedrop/:/codedrop:ro web scanpipe"
  • Create a new project named staticbox:

$ scanpipe create-project staticbox
>> Project staticbox created with work directory /var/scancodeio/workspace/projects/staticbox-d4ed9405

Note

New projects work directory are created inside the location defined in SCANCODEIO_WORKSPACE_LOCATION setting. Default to the /var/scancodeio/workspace/ directory.

  • Add the test Docker image tarball to the project workspace’s input/ directory:

$ scanpipe add-input --project staticbox \
    --input-file /codedrop/30-alpine-nickolashkraus-staticbox-latest.tar
>> File copied to the project inputs directory:
   - 30-alpine-nickolashkraus-staticbox-latest.tar

Note

The command output will let you know that the Docker image file was copied to the project’s input/ directory. Alternatively, you can copy files manually to the input/ directory to include entire directories.

  • Add the docker pipeline to your project:

$ scanpipe add-pipeline --project staticbox docker
>> Pipeline docker added to the project
  • Check the status of the pipeline added to your project:

$ scanpipe show-pipeline --project staticbox
>> [NOT_STARTED] docker

Note

The scanpipe show-pipeline command lists all the pipelines added to the project and their execution status. You can use this to get a quick overview of the pipelines that have been already running, pipelines with “SUCCESS” or “FAILURE” status, and those will be running next, pipelines with “NOT_STARTED” status as shown below.

  • Run the docker pipeline on this project. In the output, you will be shown the pipeline’s execution progress:

$ scanpipe execute --project staticbox
>> Pipeline docker run in progress...
   Pipeline [docker] starting
   Step [extract_images] starting
   Step [extract_images] completed in 0.18 seconds
   Step [extract_layers] starting
   [...]
   Pipeline completed
   docker successfully executed on project staticbox
  • Executing the show-pipeline command again will also confirm the success of the pipeline execution - “[SUCCESS] docker” status:

$ scanpipe show-pipeline --project staticbox
>> [SUCCESS] docker
  • Get the results of the pipeline execution as a JSON file using the output command:

$ scanpipe output --project staticbox --format json --print > staticbox_results.json
  • Finally, open the staticbox_results.json file in your preferred text editor/file viewer.

Note

To understand the output of the pipeline execution, see our Output Files section for details.

Tip

The inputs and pipelines can be provided directly at once when calling the create-project command. The --execute option is also available to start the pipeline execution right after the project creation. For example, the following command will create a project named staticbox2, download the test Docker image to the project’s input/ directory, add the docker pipeline, and execute the pipeline in one operation:

$ scanpipe create-project staticbox2 \
    --input-url https://github.com/nexB/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar \
    --pipeline docker \
    --execute