Docker Image To Tar - Download a docker image, convert it to .tar, nix the image from local cache.

DockerImageToTar.sh

#!/bin/bash
# Usage: ./dockerimagetotar.sh namespace/container:tag [--convert]

# Check if at least one argument is provided
if [ $# -lt 1 ]; then
    echo "Usage: $0 image_name[:tag] [--convert]"
    exit 1
fi

IMAGE_NAME=$1
CONVERT_ANYWAY=false

# Check if --convert flag is provided
if [ $# -gt 1 ] && [ "$2" == "--convert" ]; then
    CONVERT_ANYWAY=true
fi

TEMP_CONTAINER="temp_container_$(date +%s)"
TEMP_DIR="temp_extract_$(date +%s)"

# Generate safe filename for the tar
# Replace slashes, colons and other problematic characters
SAFE_NAME=$(echo "$IMAGE_NAME" | sed 's/[\/:]/_/g')
TAR_NAME="${SAFE_NAME}.tar"

echo "Pulling Docker image: $IMAGE_NAME..."
if ! docker pull $IMAGE_NAME; then
    echo "Failed to pull image $IMAGE_NAME. Exiting."
    exit 1
fi

# Check if TruffleHog is installed, install if not
if ! command -v trufflehog &> /dev/null; then
    echo "Installing TruffleHog..."
    # For Linux/macOS
    if [[ "$OSTYPE" == "linux-gnu"* || "$OSTYPE" == "darwin"* ]]; then
        curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
    else
        echo "Please install TruffleHog manually for your system: https://github.com/trufflesecurity/trufflehog#install"
        exit 1
    fi
fi

# Create temp container for scanning
echo "Creating temporary container for scanning..."
if ! docker create --name $TEMP_CONTAINER $IMAGE_NAME; then
    echo "Failed to create container from image $IMAGE_NAME."
    echo "Trying alternative method with 'sh' command..."
    
    if ! docker create --name $TEMP_CONTAINER $IMAGE_NAME sh; then
        echo "Alternative method failed as well."
        echo "Trying with null command..."
        
        if ! docker create --name $TEMP_CONTAINER $IMAGE_NAME null; then
            echo "All container creation attempts failed. Removing image."
            docker rmi $IMAGE_NAME
            exit 1
        fi
    fi
fi

# Export container temporarily for scanning
mkdir -p $TEMP_DIR
echo "Temporarily exporting container for scanning..."
if ! docker export $TEMP_CONTAINER | tar -xf - -C $TEMP_DIR; then
    echo "Failed to extract container for scanning."
    docker rm $TEMP_CONTAINER
    docker rmi $IMAGE_NAME
    rm -rf $TEMP_DIR
    exit 1
fi

# Run TruffleHog scan on the extracted container
echo "Scanning filesystem for secrets using TruffleHog..."
SCAN_OUTPUT=$(mktemp)
trufflehog filesystem --no-update --directory $TEMP_DIR > $SCAN_OUTPUT

# Check if any secrets were found
SECRETS_FOUND=false
if [ -s "$SCAN_OUTPUT" ]; then
    echo "⚠️ Secrets or sensitive information detected!"
    cat "$SCAN_OUTPUT"
    SECRETS_FOUND=true
else
    echo "No secrets detected in the image."
fi

# Only proceed with final export if secrets are found or --convert flag is set
if [ "$SECRETS_FOUND" = true ] || [ "$CONVERT_ANYWAY" = true ]; then
    echo "Exporting container filesystem to $TAR_NAME..."
    if ! docker export $TEMP_CONTAINER -o $TAR_NAME; then
        echo "Failed to export container filesystem."
        docker rm $TEMP_CONTAINER
        docker rmi $IMAGE_NAME
        rm -f "$SCAN_OUTPUT"
        rm -rf $TEMP_DIR
        exit 1
    fi
    
    echo "Done! The filesystem is available in $TAR_NAME"
else
    echo "No secrets found and --convert flag not provided. Skipping export."
fi

# Clean up
echo "Removing temporary container..."
docker rm $TEMP_CONTAINER
echo "Removing temporary extraction directory..."
rm -rf $TEMP_DIR
echo "Removing Docker image..."
docker rmi $IMAGE_NAME
rm -f "$SCAN_OUTPUT"

if [ "$SECRETS_FOUND" = true ]; then
    echo "⚠️ Please review the detected secrets in the exported container."
fi