Anchore OSS Monthly Newsletter - October 2024
Introduction
“I think it’s awesome how in touch with the community you guys are.” - Adam McClenaghan
Welcome to the first newsletter from the Anchore OSS team behind Syft, Grype, Grant and friends.
We wanted to have somewhere that people could catch-up with what’s going on around here! The goal is to give a review of last month including releases, community contributions and some stats. Here goes!
Feedback/replies welcome!
Highlights
To kick things off, I’ve picked out a couple of interactions that the team appreciated from the last month.
Community Meeting
We regularly run a Zoom call where members of the community can join and ask questions, chase PRs or just hang out and listen. Separately we also live stream “Open Source Gardening” sessions for an hour each Thursday. Mostly we’re addressing issues that “Need discussion”.
Mostly the gardening session is an opportunity for us to live stream something we do anyway - reviewing and discussing issues. The stream itself doesn’t get a ton of views or engagement while it’s live, but the numbers creep up once it’s published. We’re not surprised by this, because we know the stream is very ‘inside baseball’ - we’re not streaming Minecraft or politics, so it has limited appeal among the wider world.
However, this month Adam McClenaghan joined our community Zoom call to request that we discsuss his PRs 3360 and 3333 during our gardening session. We did so on the last stream of the month. Adam mentioned that he’d catch up with the video the next day, probably at double-speed, for expediency!
So, if you’re ever thinking that nobody is watching your live stream, and nobody will, don’t worry about it. Your engaged community will find it, and consume when it’s convenient for them. Adam also gave us the lovely feedback you’ll find at the top of this month’s newsletter.
We gained a new contributor via a thread on Reddit this month.
In a (now deleted) post in /r/Terraform, a user asked:
Hi terraform experts, I’m struggling to find a tool that I can use to automatically generate an SBOM file for terraform dependencies. Sofar I tried some tools like syft, trivy, cyclonedx-cli… They all seem to generate an sbom for Docker, system files etc… But fails to capture terraform modules/providers and their versions. If necessary, I will surely write my own script for it, but I thought such tool must exist by now, right?
I jumped in to let them know there’s a issue already filed about this. Reddit user ghouscht saw this, and prepped a PR, making their first contribution to Syft. Nice one!
New Contributors
We couldn’t build these tools without new and returning developers contributing to our projects.
We had 16 new contributors to Anchore Open Source projects in October 2024!
So a massive thanks to the following people who took the time to contribute for the first time this month:
Artemii, Joel Rudsberg, Christof Renner, 2rigor, ps-e, Thomas Gosteli, Paul Tader, Ariel Miculas-Trif, Nathan Voss, Piyush Bhaskar, HeyeOpenSource, Timotej Ecimovic, Adnan Gulegulzar, Piotr Radkowski, deftdawg, and Niv Govrin.
Thanks to everyone who contributes to our community-maintained code, discusses topics on our discourse, engages with us on social media, and talks to us at events.
Releases
In case you missed them, here’s a recap of all our OSS releases from October 2024.
Events
OSS Team Meetup
October kicked off with the Open Source team meeting in person in Richmond, Virginia. As a fully remote team, for many of us this was the first time we met in person. We spent much of the ~3 day event hold-up in a room together discussing and planning the future of the Open Source tools at Anchore. A lot of this was internal team and company chat, but we also spent a lot of time doing blue-sky thinking on how we all wanted to make Syft and Grype the best in class tools.
A lot of thinking was done, some of it in the “ThinkPod”.
This was also a great opportunity for us to hang out, socialise and build our relationships, which was probably one of the more valuable parts of the week for me, having never met anyone on the team before.
All Things Open
October closed out with our attendance at All Things Open. I’ve already written this up in a trip report. Catch the details there.
In short, excellent venue, organisation, and interested visitors to our booth.
10/10 - would exhibit again!
Blogs
Blog posts published by the team in this month:
- Preparing for a critical vulnerability | Anchore by @joshbressers
- Who watches the watchmen? Introducing yardstick validate | Anchore by @willmurphy
- Grype Support for Azure Linux 3 released | Anchore by @willmurphy
Streams
We ran three “Open Source Gardening” streams in October. Catch up with them below:
- 10th Oct | Open Source Gardening | Live with Anchore Devs
- 17th Oct | Open Source Gardening | Live with Anchore Devs
- 31st October Open Source Gardening Alive Stream
We missed the first week while we all attended the in-person OSS Team Meetup.
Ecosystem Update
Here we’re showcasing active 3rd party tools, utilities and products built on top of, and enabled with our Open Source tools. In addition, we’re giving thanks, and signposting other tools, libraries and projects that we use in the making of our Open Source tools.
Building on Anchore OSS
MegaLinter is "an Open-Source tool for CI/CD workflows that analyzes the consistency of your code, IAC, configuration, and scripts in your repository sources, to ensure all your projects sources are clean and formatted whatever IDE/toolbox is used by their developers, powered by OX Security.
MegaLinter integrates a host of other tools to make one “Mega” CI/CD linting utility. That includes Syft integration.
Giving Thanks
This month, we’d like to show appreciation for Lip Gloss from Charm (bracelet).
If you’ve ever run Syft or Grype interactively, in a modern terminal, you’ll likely have seen lipgloss in action. The animations, colo(u)r and formatting used in our output comes courtesy of the lipgloss library. Here’s a quick gif/video (at 75% speed for readability) showing it off, for those who haven’t seen it.
The above gif was made with another Charm (bracelet) project, VHS, which is also worth a look!
Finally
If there’s anything extra you’d like to see in the newsletter, leave a comment or DM me.