Restoration · January 19, 2026 02:10
diff --git a/gistfile1.txt b/gistfile1.txt
 #!/usr/bin/env bash
 set -euo pipefail

 # Usage:
 #   ./tools/capture-image-evidence.sh node:22.20-slim [optional_tag]
 #
 # Example:
 #   ./tools/capture-image-evidence.sh node:22.17-slim old
 #   ./tools/capture-image-evidence.sh node:22.20-slim new

 IMAGE="${1:?image is required (e.g. node:22.20-slim)}"
 TAG="${2:-}"

 ts="$(date -u +%Y%m%dT%H%M%SZ)"
 safe_image="$(echo "$IMAGE" | sed 's#[/:]#_#g')"
 out="reports/${ts}/${safe_image}${TAG:+__${TAG}}"

 mkdir -p "$out"

 echo "[1/6] Pull & identify digest"
 docker pull "$IMAGE" >/dev/null

 # RepoDigest is strongest evidence that this exact image was used
 digest="$(docker image inspect "$IMAGE" --format '{{index .RepoDigests 0}}' 2>/dev/null || true)"
 echo "${digest:-NO_REPODIGEST}" > "$out/repo_digest.txt"

 echo "[2/6] Image metadata (inspect)"
 docker image inspect "$IMAGE" > "$out/image_inspect.json"

 echo "[3/6] Runtime fingerprint (node/os)"
 {
  echo "IMAGE=$IMAGE"
  echo "REPO_DIGEST=${digest:-}"
  docker run --rm "$IMAGE" node -v
  docker run --rm "$IMAGE" node -p "process.versions"
  docker run --rm "$IMAGE" sh -lc 'cat /etc/os-release || true'
 } > "$out/runtime_fingerprint.txt"

 echo "[4/6] dpkg list (OS packages)"
 docker run --rm "$IMAGE" sh -lc \
  "dpkg-query -W -f='\${Package}\t\${Version}\n' 2>/dev/null | sort || true" \
  > "$out/dpkg_list.tsv"

 echo "[5/6] SBOM (syft preferred; fallback to trivy sbom)"
 if command -v syft >/dev/null 2>&1; then
  syft "$IMAGE" -o spdx-json="$out/sbom.spdx.json" >/dev/null
 else
  # Requires trivy >= that supports `trivy sbom`
  trivy sbom --format spdx-json --output "$out/sbom.spdx.json" "$IMAGE" >/dev/null
 fi

 echo "[6/6] Vulnerability scan (trivy)"
 # IMPORTANT: フルのJSONを残す（後で比較・監査ができる）
 trivy image --format json --output "$out/trivy_vuln.json" "$IMAGE" >/dev/null || true

 echo "Done: $out"
	#!/usr/bin/env bash
	set -euo pipefail

	# Usage:
	# ./tools/capture-image-evidence.sh node:22.20-slim [optional_tag]
	#
	# Example:
	# ./tools/capture-image-evidence.sh node:22.17-slim old
	# ./tools/capture-image-evidence.sh node:22.20-slim new

	IMAGE="${1:?image is required (e.g. node:22.20-slim)}"
	TAG="${2:-}"

	ts="$(date -u +%Y%m%dT%H%M%SZ)"
	safe_image="$(echo "$IMAGE" \| sed 's#[/:]#_#g')"
	out="reports/${ts}/${safe_image}${TAG:+__${TAG}}"

	mkdir -p "$out"

	echo "[1/6] Pull & identify digest"
	docker pull "$IMAGE" >/dev/null

	# RepoDigest is strongest evidence that this exact image was used
	digest="$(docker image inspect "$IMAGE" --format '{{index .RepoDigests 0}}' 2>/dev/null \|\| true)"
	echo "${digest:-NO_REPODIGEST}" > "$out/repo_digest.txt"

	echo "[2/6] Image metadata (inspect)"
	docker image inspect "$IMAGE" > "$out/image_inspect.json"

	echo "[3/6] Runtime fingerprint (node/os)"
	{
	echo "IMAGE=$IMAGE"
	echo "REPO_DIGEST=${digest:-}"
	docker run --rm "$IMAGE" node -v
	docker run --rm "$IMAGE" node -p "process.versions"
	docker run --rm "$IMAGE" sh -lc 'cat /etc/os-release \|\| true'
	} > "$out/runtime_fingerprint.txt"

	echo "[4/6] dpkg list (OS packages)"
	docker run --rm "$IMAGE" sh -lc \
	"dpkg-query -W -f='\${Package}\t\${Version}\n' 2>/dev/null \| sort \|\| true" \
	> "$out/dpkg_list.tsv"

	echo "[5/6] SBOM (syft preferred; fallback to trivy sbom)"
	if command -v syft >/dev/null 2>&1; then
	syft "$IMAGE" -o spdx-json="$out/sbom.spdx.json" >/dev/null
	else
	# Requires trivy >= that supports `trivy sbom`
	trivy sbom --format spdx-json --output "$out/sbom.spdx.json" "$IMAGE" >/dev/null
	fi

	echo "[6/6] Vulnerability scan (trivy)"
	# IMPORTANT: フルのJSONを残す（後で比較・監査ができる）
	trivy image --format json --output "$out/trivy_vuln.json" "$IMAGE" >/dev/null \|\| true

	echo "Done: $out"
No results found