A comprehensive demonstration project showcasing the differences between container vulnerability scanners and the efficiency gains from SBOM-based scanning approaches.
This project demonstrates the discrepancies between different vulnerability scanners (Trivy, Grype) and explores how SBOM (Software Bill of Materials) generation can improve scanning efficiency while maintaining accuracy. It also includes supply chain security demonstrations using Sigstore and Cosign.
- Scanner Comparison: Side-by-side vulnerability scanning with Trivy and Grype
- SBOM Efficiency: Performance comparison between direct image scanning and SBOM-based scanning
- Supply Chain Security: Metadata manipulation impact on vulnerability detection and signature verification
- Cross-platform Analysis: Scanning across different base images (Alpine, Debian, Ubuntu, Wolfi)
Before running the scripts, ensure you have the following tools installed:
- docker - Container runtime
- trivy - Vulnerability scanner
- grype - Vulnerability scanner
- syft - SBOM generator
- cosign - Supply chain security tool
- jq - JSON processor
Verify all tools are installed correctly:
docker --version
trivy --version
grype version
syft version
cosign version
jq --versionCompare vulnerability scanners across default base images:
./compare.shThis will scan Alpine, Debian, Ubuntu, and Wolfi base images using both Trivy and Grype, generating a comprehensive comparison report.
Scan specific images listed in a file:
./compare.sh --image-file images.txtThe images.txt file should contain one image per line:
alpine:3.18
python:3.12-alpine
node:18-alpine
Generate SBOMs first, then scan for improved performance:
# Initial run (generates SBOMs and scans)
./syft-compare.sh
# Subsequent runs using existing SBOMs (much faster)
./syft-compare.sh --use-existingDemonstrate metadata manipulation and signature verification:
./sigstore-demo.shThis script shows how:
- Image metadata manipulation affects vulnerability detection
- Cosign signature verification detects tampering
- Supply chain integrity can be maintained
Show how metadata changes can hide vulnerabilities:
./metadata-fix.shThe scripts generate organized results in timestamped directories:
scanner_results_YYYYMMDD_HHMMSS/
├── comparison_report.md # Detailed comparison analysis
├── trivy_results/ # Trivy scan outputs
├── grype_results/ # Grype scan outputs
└── summary_table.txt # Quick reference table
sbom_scanner_results_YYYYMMDD_HHMMSS/
├── syft-sboms/ # Generated SBOM files
├── trivy_sbom_results/ # Trivy SBOM scan results
├── grype_sbom_results/ # Grype SBOM scan results
└── comparison_report.md # SBOM-based analysis
- Different vulnerability databases lead to varying results
- Trivy and Grype may disagree on vulnerability counts and severities
- No single scanner provides complete coverage
- Performance: 5-10x faster scanning after initial SBOM generation
- Consistency: Same vulnerability results as direct image scanning
- Portability: SBOMs can be shared and scanned offline
- Compliance: Meet SBOM requirements (NTIA, EO 14028)
- Metadata manipulation can hide vulnerabilities from scanners
- Digital signatures (Cosign) detect tampering attempts
- Trust verification is essential for supply chain integrity
This project is ideal for demonstrating:
- DevSecOps Training: Understanding scanner limitations and SBOM benefits
- Security Workshops: Hands-on vulnerability management
- Supply Chain Security: Real-world threat scenarios
- Compliance Education: SBOM generation and management
- Tool Evaluation: Comparing different security scanners
Feel free to:
- Add new base images to test
- Include additional vulnerability scanners
- Enhance the reporting format
- Submit bug fixes or improvements
This project is intended for educational and demonstration purposes. Please ensure compliance with your organization's security policies when using these tools and techniques.
EdgeCase 2025 - Exploring the edge cases in container security scanning and supply chain management.