What would you like to be added:
Introduce an automatic “cleanup” step that runs after every Syft/Stereoscope scan, deleting any image layers or temp data the providers created—so disk space never accumulates between runs.
Why is this needed:
Running syft scan or syft attest against images pulled from Docker or Containerd leaves those images—and their layer files—inside the local daemon. On CI runners this causes disk usage in /var/lib/docker/overlay2 (or the Containerd content store) to grow continuously, eventually filling the filesystem. Previous discussions (e.g. stereoscope #161, syft #416) covered temporary directories, but did not address the persistent layers created by daemon-based providers.
Additional context:
Patches are intended as a proof of concept: feel free to ignore them, cherry-pick pieces, or push changes directly onto the branches if there’s a cleaner way to fold this into the projects’ architecture.
Draft Suggestion
Syft patch
| Area |
High-level change |
| Lifecycle support |
Introduced a new Cleanup(ctx) method to the source.Provider interface. |
| Central helper |
Added syft.CleanupSource() to iterate over all candidate providers and call their Cleanup. |
| CLI wiring |
Updated getSource() to return (src, cleanupFunc, err); syft scan and syft attest now defer both src.Close() and cleanupFunc(). |
Stereoscope patch
| Area |
High-level change |
| Interface |
Added Cleanup(ctx) to image.Provider. |
| Docker daemon provider |
Implemented Cleanup by calling Docker’s ImageRemove to delete the analysed image. |
| Containerd daemon provider |
Implemented Cleanup via ImageService().Delete() to purge the image from Containerd. |
Other providers (OCI dir/tarball/registry, SIF, etc.) |
Implemented no-op Cleanup that just logs a debug message—these providers don’t leave persistent state. |
| Common code |
Updated provider factories and helper functions so all providers now satisfy the new interface. |
Together, these two patches establish a complete create → use → cleanup lifecycle across both projects.
What would you like to be added:
Introduce an automatic “cleanup” step that runs after every Syft/Stereoscope scan, deleting any image layers or temp data the providers created—so disk space never accumulates between runs.
Why is this needed:
Running syft scan or syft attest against images pulled from Docker or Containerd leaves those images—and their layer files—inside the local daemon. On CI runners this causes disk usage in /var/lib/docker/overlay2 (or the Containerd content store) to grow continuously, eventually filling the filesystem. Previous discussions (e.g. stereoscope #161, syft #416) covered temporary directories, but did not address the persistent layers created by daemon-based providers.
Additional context:
Patches are intended as a proof of concept: feel free to ignore them, cherry-pick pieces, or push changes directly onto the branches if there’s a cleaner way to fold this into the projects’ architecture.
Draft Suggestion
Syft patch
Stereoscope patch
Cleanup(ctx)toimage.Provider.Cleanupby calling Docker’sImageRemoveto delete the analysed image.CleanupviaImageService().Delete()to purge the image from Containerd.OCI dir/tarball/registry,SIF, etc.)Cleanupthat just logs a debug message—these providers don’t leave persistent state.Together, these two patches establish a complete create → use → cleanup lifecycle across both projects.