Container Image Security with Thoth

Container Image Security Guidance

Thoth can also provide security guidance for container images available for your application with the command:

thamos images

Each entry stated in the output can be set as a base_image in .thoth.yaml in the respective runtime environment section and used as a base for running the Python applications.

Project Thoth offers container image analyses that introspect what is present in the container image. Notably, it can extract:

  • Information about the operating system

  • Information about RPM packages that are present in the container image

  • Python packages that are present in the container image and their locations, if multiple virtual environments are available

  • Python interpreters and their available versions

  • Information about the ABI provided

  • Container image metadata as extracted by Skopeo

  • Information about other libraries, such as the CUDA version (GPU software) available

All these data can give you insights on the software that is available for use. Together with static analysis of container images as performed by Quay Clair, Thoth guides also on the base container image security.

Thoth’s resolver can consider the results of container image analyses listed earlier, along with available hardware and requirements for your application. This way, the resolution process can come up with the best possible software for the given application.