Proper way to scan licenses in npm and pip installed packages

[Mar0dev]

Question

Hello team,
My current configuration consists of frotend (JS) and backend (Python) applications. Code is hosted in self-managed GitLab. In pipelines I build docker images which are then hosted in Google Artifact Registry. The goal is to scan licenses of the installed packages.

To perform scans I have a third image that performs security scans and has Trivy installed in it. It has access to Google AR.

I have reviewed the documentation, but still cant decide on best approach. For backend - Python, I use "pip install" from requirements.txt file. To my surprise when I scan the image with python packages installed this way I can see licenses under "Python (license)" properly.

For frontend images I use "RUN npm ci --cache .npm --prefer-offline" which installs from package-lock.json.

Based on the documentation, the image scan that I perform: "trivy image --scanners license gar-container" should not list licenses of both npm and pip installed packages those ways. For the backend image licenses are listed properly but for the frontend they are not.

What would be the best approach to scan licenses in my configuration?

Target

Container Image

Scanner

License

Output Format

Table

Mode

Standalone

Operating System

Unix

Version

0.51.1

[DmitriyLewen]

Hello @Mar0dev
Thanks for your interest to Trivy!

You use npm (package-lock.json) and pip (requirement.txt). Trivy doesn't scan these files in image mode (see https://aquasecurity.github.io/trivy/v0.51/docs/coverage/language/#supported-languages).

But in your case, Trivy takes other files to detect licenses

• when you use npm ci - npm creates node_modules directory with package.json files. Trivy parses these package.json files and detects licenses.
• similarly for pip. pip creates usr/local/lib/python3.11/dist-packages/<pkg_name>.dist-info/METADATA files. Trivy detects licenses from these files.

Small example for you:

FROM node

RUN apt-get update && apt-get -y install python3-pip

RUN pip3 install awscli --break-system-packages

COPY ./package-lock.json /app/package-lock.json
RUN cd /app && npm init -y && npm ci

Check Trivy output in json format :

➜ trivy -d image --scanners license -f json  6684
...
    {
      "Target": "Python",
      "Class": "license",
      "Licenses": [
        {
          "Severity": "LOW",
          "Category": "notice",
          "PkgName": "colorama",
          "FilePath": "usr/local/lib/python3.11/dist-packages/colorama-0.4.6.dist-info/METADATA",
          "Name": "BSD-3-Clause",
          "Confidence": 1,
          "Link": ""
        },
...
      "Target": "Node.js",
      "Class": "license",
      "Licenses": [
        {
          "Severity": "LOW",
          "Category": "notice",
          "PkgName": "corepack",
          "FilePath": "usr/local/lib/node_modules/corepack/package.json",
          "Name": "MIT",
          "Confidence": 1,
          "Link": ""
        },
...

Regards, Dmitriy