Tools Thoughtworks Technology Radar 65. Grype Assess Securing the software supply chain has become a commonplace concern among delivery teams, a concern that is reflected by the growing number of new tools in this space. Grype is a new lightweight vulnerability scanning tool for Docker and OCI images. It can be installed as a binary, can scan images before they’re pushed to a registry, and it doesn’t require a Docker daemon to run on your build agents. Grype comes from the same team that is behind Syft, which generates SBOMs in various formats from container images. Grype can consume the SBOM output of Syft to scan for vulnerabilities. 66. Infracost Assess One often-cited advantage of moving to the cloud is transparency around infrastructure spend. In our experience, this is often not the case. Teams don’t always think about the decisions they make around infrastructure in terms of financial cost which is why we previously blipped about run cost as architecture fitness function. We’re intrigued by the release of a new tool called Infracost which aims to make cost trade-offs visible in Terraform pull requests. It’s open-source software and available for macOS, Linux, Windows and Docker and supports pricing for AWS, GCP and Microsoft Azure out of the box. It also provides a public API that can be queried for current cost data. Our teams are excited by its potential, especially when it comes to gaining better cost visibility in the IDE. 67. jc Assess In our previous Radar, we placed modern Unix commands in Assess. One of the commands featured in that collection of tools was jq, effectively a sed for JSON. jc performs a related task: it takes the output of common Unix commands and parses the output into JSON. The two commands together provide a bridge between the Unix CLI world and the raft of libraries and tools that operate on JSON. When writing simple scripts, for example, for software deployment or gathering troubleshooting information, having the myriad of different Unix command output formats mapped into well-defined JSON can save a lot of time and effort. As with jq, you need to make sure the command is available. It can be installed from many of the well-known package repositories. 68. skopeo Assess skopeo is a command line utility that performs various operations on container images and image repositories. It doesn’t require a user to be root to do most of its operations nor does it require a daemon to be running. It’s a useful part of a CI pipeline; we’ve used it to copy images from one registry to another as we promote the images. It’s better than doing a pull and a push as we don’t need to store the images locally. It’s not a new tool, but it’s useful enough and underutilized that we felt it’s worth calling it out. © Thoughtworks, Inc. All Rights Reserved. 31