Hi,
Some scanning tools are copying the files of a .tar \ fs to a tmp directory and reads it. I wanted to ask if Syft’s copies the files to a tmp directory or just reads it from the disk?
Thanks!
Syft does both things depending on the function. If you scan a container, initially Syft does the equivalent of a docker save → decompress, to get a set of plain .tar files for the layers – these tar files are put in a temp directory and read directly without being expanded. However, while scanning these and other files, Syft may expand a .zip file to a temp directory, or download a file that only resides in memory while populating Maven artifacts. So… it depends, but generally things are saved to a temp directory.
Thanks for the answer,
can you let me know in which directories syft expands the files?
Syft uses a temporary directory in the OS’s typical temp directory. On macOS, this might be something like: /var/folders/jc/d7fdgsd000a9cb4d0gn/T/ or on Linux: /tmp, or defined in the TMPDIR environment variable, etc… Syft then creates unique subdirectories in that temp directory, so you will see things like stereoscope-2646033724 or syft-archive-contents-1222475443, which are cleaned up before Syft exits.