Tern is an inspection tool to find the metadata of the packages installed in a container image. It runs scripts from the "command library" against the container and collates the information into a Bill of Materials (BOM) report. Tern gives you a deeper understanding of your container's bill of materials so you can make better decisions about your container based infrastructure, integration and deployment strategies.
- FAQ
- Getting Started
- Project Status
- Documentation
- Contributing
- Glossary of Terms
- Architecture
- Navigating the Code
Tern is currently developed on a Linux distro with a kernel version >= 4.0. Possible development distros are Ubuntu 16.04 or newer or Fedora 25 or newer. Install the following:
- Git (Installation instructions can be found here: https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
- attr (sudo apt-get install attr or sudo dnf install attr)
- Python 3.6.2 (sudo apt-get install python3.6 or sudo dnf install python36)
If you happen to be using Docker containers
- Docker CE (Installation instructions can be found here: https://docs.docker.com/engine/installation/#server)
Make sure the docker daemon is running.
$ python3 -m venv ternenv
$ cd ternenv
$ git clone https://github.com/vmware/tern.git
$ source bin/activate
$ cd tern
$ git checkout -b release v0.1.0
$ pip install -r requirements.txt
If you have a Docker image pulled locally and want to inspect it
$ ./tern report -i debian:jessie
Take a look at report.txt to see what packages are installed in the Docker image and how Tern got this information. If you encounter any errors, please file an issue.
You can run Tern against a Dockerfile. Tern will build the image for you and then analyze it with respect to the Dockerfile
$ ./tern report -d samples/photon_git/Dockerfile
Take a look at report.txt to see what packages are installed in the created Docker image and how Tern got this information. Feel free to try this out on the other sample Dockerfiles in the samples directory or on Dockerfiles you may be working with. If it doesn't work for you, please file an issue.
To get just a list of packages, you can use the -s option to get a summary report.
$ ./tern report -s -d samples/photon_git/Dockerfile
WARNING: Tern is meant to give guidance on what may be installed in a container image, so it is recommended that for the purpose of investigation, the default report is used. The summary report may be used as the output of a build artifact or something to submit to a compliance or legal team.
To get the results in a YAML file to be consumed by a downstream tool or script
$ ./tern report -Y -i debian:jessie
To get the results in a JSON file for web use
$ ./tern report -J -i debian:jessie
$ cd ternenv
$ source bin/activate
$ git clone https://github.com/vmware/tern.git
$ cd tern
$ export PYTHONPATH=`pwd`
$ python tests/<test file>.py
Release 0.1.0 is here! Please see the release notes for details.
We try to keep the project roadmap as up to date as possible. We are currently working on Release 0.2.0
Architecture, function blocks, code descriptions and the project roadmap are located in the docs folder. We also welcome contributions to the documentation. See the contributing guide to find out how to submit changes.
Do you have questions about Tern? Do you think it can do better? Would you like to make it better? You can get involved by giving your feedback and contributing to the code, documentation and conversation!
Please read our code of conduct first.
Next, take a look at the contributing guide to find out how you can start.