docker-sbom fails with syft 1.27.0 (non-root image) and extra CA
I'm getting new errors from docker-sbom jobs:
[...]
$ # BEGSCRIPT # collapsed multi-line command
/scripts-481054-230249496/step_script: eval: line 302: can't create /etc/ssl/certs/ca-certificates.crt: Permission denied
Uploading artifacts for failed job
[...]It's because latest release of the syft image (1.27.0) has been hardened, opting for a non-root user (hence no permission to write in /etc/ssl/...). And the TBC component/template, by default, uses the latest debug version of the image (registry.hub.docker.com/anchore/syft:debug).
As a workaround, one can stick to the previous version (1.26.1):
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
sbom-image: registry.hub.docker.com/anchore/syft:v1.26.1-debugor (if not using CI/CD components, but classic templates):
variables:
DOCKER_SBOM_IMAGE: registry.hub.docker.com/anchore/syft:v1.26.1-debugAs for an actual fix to the TBC template, maybe something with SYFT_REGISTRY_CA_CERT (and put the extra certs in a non-root location)? But not sure it would be equivalent to having the extra certs in the system CA store. It's just an idea, I don't know much about syft features / use cases.