Kloud Workspace
Docker BadgeStars Badge
See Also

Image Extras installable feature

⚠ Optional Feature

This feature is not pre-installed in Kloud Workspace. Install it using the features system before use.

A bundle of four image-investigation tools. Generate an SBOM, scan container images for known vulnerabilities, and inspect image layers.

Installation

Install the bundle using the features system:

sh
# Manual installation
ws feature install image-extras

# Or at boot time
docker run \
  -e WS_FEATURES_ADDITIONAL_FEATURES="image-extras" \
  ghcr.io/kloudkit/workspace:v0.2.1

What's Included

The image-extras feature installs four CLIs to /usr/local/bin:

  • syft: Generate a Software Bill of Materials (SBOM) for a container image, directory, or filesystem.
  • grype: Vulnerability scanner. Reads an SBOM from syft (or scans an image directly).
  • dive: Interactive TUI for exploring a container image's layers and discovering bloat.
  • osv-scanner: Layer-aware vulnerability scanner from Google.

Typical Workflow

sh
# Generate an SBOM for an image (cacheable)
syft ghcr.io/kloudkit/workspace:dev -o json > sbom.json

# Scan the SBOM against current CVE feeds
grype sbom:sbom.json --only-fixed

# Second opinion with layer attribution
osv-scanner --sbom sbom.json

# Inspect image layers interactively
dive ghcr.io/kloudkit/workspace:dev

Released under the MIT License

Copyright © 2026 KloudKIT