Skip to content

Clean up downloaded images from daemons #3985

New issue
New issue
Open
Open
Clean up downloaded images from daemons#3985
Assignees
kzantow
Labels
enhancementNew feature or request
@houdini91

Description

@houdini91
houdini91
opened on Jun 9, 2025

What would you like to be added:
Introduce an automatic “cleanup” step that runs after every Syft/Stereoscope scan, deleting any image layers or temp data the providers created—so disk space never accumulates between runs.

Why is this needed:
Running syft scan or syft attest against images pulled from Docker or Containerd leaves those images—and their layer files—inside the local daemon. On CI runners this causes disk usage in /var/lib/docker/overlay2 (or the Containerd content store) to grow continuously, eventually filling the filesystem. Previous discussions (e.g. stereoscope #161, syft #416) covered temporary directories, but did not address the persistent layers created by daemon-based providers.

Additional context:
Patches are intended as a proof of concept: feel free to ignore them, cherry-pick pieces, or push changes directly onto the branches if there’s a cleaner way to fold this into the projects’ architecture.

Draft Suggestion

Syft patch

Area High-level change
Lifecycle support Introduced a new Cleanup(ctx) method to the source.Provider interface.
Central helper Added syft.CleanupSource() to iterate over all candidate providers and call their Cleanup.
CLI wiring Updated getSource() to return (src, cleanupFunc, err); syft scan and syft attest now defer both src.Close() and cleanupFunc().

Stereoscope patch

Area High-level change
Interface Added Cleanup(ctx) to image.Provider.
Docker daemon provider Implemented Cleanup by calling Docker’s ImageRemove to delete the analysed image.
Containerd daemon provider Implemented Cleanup via ImageService().Delete() to purge the image from Containerd.
Other providers (OCI dir/tarball/registry, SIF, etc.) Implemented no-op Cleanup that just logs a debug message—these providers don’t leave persistent state.
Common code Updated provider factories and helper functions so all providers now satisfy the new interface.

Together, these two patches establish a complete create → use → cleanup lifecycle across both projects.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

OSS

Status

In Review

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions