Analyze Docker Image (Command Line)

In this tutorial, you will learn by example how to use ScanCode.io to analyze a test Docker image by following the steps below and, along the way, learn some of the ScanCode.io basic commands.

Note

This tutorial assumes you have a current version of ScanCode.io installed locally on your machine. If you do not have it installed, see our Installation guide for instructions.

Requirements

To successfully complete this tutorial, you first need to:

Instructions

  • Open a shell in the ScanCode.io installation directory and activate the virtual environment - virtualenv:

$ source bin/activate

>> (scancodeio) $

  • Create a new project named staticbox:

$ scanpipe create-project staticbox

>> Project staticbox created with work directory projects/staticbox-d4ed9405

Note

New projects work directory are created inside the location defined in SCANCODEIO_WORKSPACE_LOCATION setting. Default to a var/ directory in the local ScanCode.io codebase.

  • Add the test Docker image tarball to the project workspace’s input/ directory:

$ scanpipe add-input --project staticbox \
  --input-file ~/30-alpine-nickolashkraus-staticbox-latest.tar

>> File(s) copied to the project inputs directory:
   - 30-alpine-nickolashkraus-staticbox-latest.tar

Note

The command output will let you know that the Docker image file was copied to the project’s input/ directory. You can also navigate to this directory and confirm your file is there. Alternatively, you can copy files manually to the input/ directory to include entire directories.

  • Add the docker pipeline to your project:

$ scanpipe add-pipeline --project staticbox docker

>> Pipeline(s) added to the project

  • Check the status of the pipeline added to your project:

$ scanpipe show-pipeline --project staticbox

>> [NOT_STARTED] docker

Note

The scanpipe show-pipeline command lists all the pipelines added to the project and their execution status. You can use this to get a quick overview of the pipelines that have been already running, pipelines with “SUCCESS” or “FAILURE” status, and those will be running next, pipelines with “NOT_STARTED” status as shown below.

  • Run the docker pipeline on this project. In the output, you will be shown the pipeline’s execution progress:

$ scanpipe execute --project staticbox

>> Pipeline docker run in progress...
   2021-07-07 10:39:26.49 Pipeline [docker] starting
   2021-07-07 10:39:26.53 Step [extract_images] starting
   2021-07-07 10:39:26.71 Step [extract_images] completed in 0.18 seconds
   2021-07-07 10:39:26.71 Step [extract_layers] starting
   [...]
   2021-07-07 10:39:31.39 Pipeline completed

  • Executing the show-pipeline command again will also confirm the success of the pipeline execution - “[SUCCESS] docker” status:

$ scanpipe show-pipeline --project staticbox

>> [SUCCESS] docker

  • Get the results of the pipeline execution as a JSON file using the output command:

$ scanpipe output --project staticbox --format json

>> projects/staticbox-d4ed9405/output/results-2021-07-07-08-54-02.json

  • Finally, open the output/results-<timestamp>.json file in your preferred text editor/file viewer.

Note

To understand the output of the pipeline execution, see our Output Files section for details.

Tip

The inputs and pipelines can be provided directly at once when calling the create-project command. An execute option is also available to start the pipeline execution right after the project creation. For example, the following command will create a project named staticbox2, download the test Docker image to the project’s input/ directory, add the docker pipeline, and execute the pipeline in one operation:

$ scanpipe create-project staticbox2 \
  --input-url https://github.com/nexB/scancode.io-tutorial/releases/download/sample-images/30-alpine-nickolashkraus-staticbox-latest.tar \
  --pipeline docker \
  --execute