Use Pack to export your image to disk in OCI layout format

In pack v0.30.0 we added the experimental capability to export your application images to disk in OCI layout format. This feature will provide end-users with the freedom to inspect or modify their images before being pushed to a remote registry.

Let’s take a look at an example of how this might be valuable. After following the steps to export the sample java application to OCI layout format on disk, we end up with something similar to:

sample-app
├── blobs
│ └── sha256
│     ├── 141bfb0cd434d425bc70edb9e56ea11d07aed76450eb0e73e6110645f251a8d3
│     ├── 2fa192256ce255c6ea6c1296eadfe2feba8094f40e6aa85e699645caca2e85d8
│     ├── 5a44e4f7b58d74fe6f92dd7028075c91191128d1e2e7f39846fe061a9a98836e
│     ├── 72d9f18d70f395ff9bfae4d193077ccea3ca583e3da3dd66f5c84520c0100727
│     ├── 827746ec7ba80f4e4811b6c9195b6f810fbc2d58a6c9cc337bf0305791f24e97
│     ├── ad13830c92258c952f25d561d8bf7d9eb58b8a3003960db1502cbda8239130b5
│     ├── b97b58b190d5f731c879b0f7446a2bd554863b51851e03757199c74dd922ce61
│     ├── c44222730efa142cd5bedc0babf82a9a07d325494be7f5c3cfde56f43166b65f
│     ├── e1048fb89c3194a1f0542c0847aa086a7034dd7867c48fe8c93675cf36f90610
│     ├── f0a30c5bc44742065b1b4ffa95271a39994f05ba7a03dd7e7143d1d3e45fa0b1
│     └── f9d6350d0c44c0e7165a522155f53181ce8c163a6b8ead1f6baea22d1a8d8a78
├── index.json
└── oci-layout  

3 directories, 13 files

Now we can use a tool like grype to scan a Java Application image and detect any vulnerabilities before pushing it to the registry or promoting it to a next step in our CI/CD pipeline.

> grype oci-dir:sample-app/
 ✔ Vulnerability DB        [no update available]
New version of grype is available: 0.66.0 (currently running: 0.57.1)
 ✔ Parsed image
 ✔ Cataloged packages      [228 packages]
 ✔ Scanned image           [87 vulnerabilities]

NAME               INSTALLED                 FIXED-IN        TYPE          VULNERABILITY        SEVERITY
bash               5.1-6ubuntu1                              deb           CVE-2022-3715        Low
coreutils          8.32-4.1ubuntu1                           deb           CVE-2016-2781        Low
gcc-12-base        12.3.0-1ubuntu1~22.04                     deb           CVE-2022-27943       Low
gpgv               2.2.27-3ubuntu2.1                         deb           CVE-2022-3219        Low
jackson-databind   2.9.10.6                                  java-archive  CVE-2020-25649       High
jackson-databind   2.9.10.6                                  java-archive  CVE-2020-35490       High

In this way, we avoid needing to remove the vulnerable image after it’s already been stored in a registry (and potentially has been pulled by other systems).

Please join our slack channel if you’d like to share comments about this feature, or if you’d like to discuss other interesting use cases that you have for a local OCI image.

If you want to know more, you can find all the details in Pack documentation.

Join the Buildpack community

We are excited to hear from you and learn with you! Here are several ways you can get involved:

• Join Buildpack’s slack channel, #buildpacks in CNCF workspace, and connect with Buildpack’s users.
• Find us on GitHub. Suggest how we can improve the project, the docs, or share any other feedback.
• Attend our Community Meetings! Check out the Community page for full details on how to attend.