Analyze Docker Image (Command Line)
In this tutorial, you will learn by example how to use ScanCode.io to analyze a test Docker image by following the steps below and, along the way, learn some of the ScanCode.io basic commands.
Note
This tutorial assumes you have a recent version of ScanCode.io installed locally on your machine and running with Docker. If you do not have it installed, see our Installation guide for instructions.
Requirements
To successfully complete this tutorial, you first need to:
Install ScanCode.io locally
Have Shell access on the machine where ScanCode.io is installed
Instructions
Create a new directory in your home directory that will be used to put the input code to be scanned.
$ mkdir -p ~/codedrop/
Download the following test Docker image and save it to the ~/codedrop/ directory: 30-alpine-nickolashkraus-staticbox-latest.tar
$ curl https://github.com/nexB/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar --output ~/codedrop/30-alpine-nickolashkraus-staticbox-latest.tar
Create an alias to the
scanpipe
command executed through thedocker compose
command line interface with:
$ alias scanpipe="docker compose -f ${PWD}/docker-compose.yml run --volume ~/codedrop/:/codedrop:ro web scanpipe"
Create a new project named
staticbox
:
$ scanpipe create-project staticbox
>> Project staticbox created with work directory /var/scancodeio/workspace/projects/staticbox-d4ed9405
Note
New projects work directory are created inside the location defined in SCANCODEIO_WORKSPACE_LOCATION setting. Default to the /var/scancodeio/workspace/ directory.
Add the test Docker image tarball to the project workspace’s input/ directory:
$ scanpipe add-input --project staticbox \
--input-file /codedrop/30-alpine-nickolashkraus-staticbox-latest.tar
>> File copied to the project inputs directory:
- 30-alpine-nickolashkraus-staticbox-latest.tar
Note
The command output will let you know that the Docker image file was copied to the project’s input/ directory. Alternatively, you can copy files manually to the input/ directory to include entire directories.
Add the
analyze_docker_image
pipeline to your project:
$ scanpipe add-pipeline --project staticbox analyze_docker_image
>> Pipeline analyze_docker_image added to the project
Check the status of the pipeline added to your project:
$ scanpipe show-pipeline --project staticbox
>> [NOT_STARTED] analyze_docker_image
Note
The scanpipe show-pipeline
command lists all the pipelines added to the
project and their execution status.
You can use this to get a quick overview of the pipelines that have been
already running, pipelines with “SUCCESS” or “FAILURE” status, and those
will be running next, pipelines with “NOT_STARTED” status as shown below.
Run the
analyze_docker_image
pipeline on this project. In the output, you will be shown the pipeline’s execution progress:
$ scanpipe execute --project staticbox
>> Pipeline analyze_docker_image run in progress...
Pipeline [analyze_docker_image] starting
Step [extract_images] starting
Step [extract_images] completed in 0.18 seconds
Step [extract_layers] starting
[...]
Pipeline completed
analyze_docker_image successfully executed on project staticbox
Executing the
show-pipeline
command again will also confirm the success of the pipeline execution - “[SUCCESS] analyze_docker_image” status:
$ scanpipe show-pipeline --project staticbox
>> [SUCCESS] analyze_docker_image
Get the results of the pipeline execution as a JSON file using the
output
command:
$ scanpipe output --project staticbox --format json --print > staticbox_results.json
Finally, open the
staticbox_results.json
file in your preferred text editor/file viewer.
Note
To understand the output of the pipeline execution, see our Output Files section for details.
Tip
The inputs
and pipelines
can be provided directly at once when
calling the create-project
command.
The --execute
option is also available to start the pipeline execution right
after the project creation.
For example, the following command will create a project named staticbox2
,
download the test Docker image to the project’s input/
directory, add the analyze_docker_image
pipeline, and execute the pipeline in
one operation:
$ scanpipe create-project staticbox2 \
--input-url https://github.com/nexB/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar \
--pipeline analyze_docker_image \
--execute