Infra Atlas · Toolbox

Container & Images.

The Docker CLI is good for building and running containers locally, but it is a poor tool for registry operations, SBOM generation, or signing. This department covers the OCI supply chain: moving images between registries without a daemon, knowing exactly what is inside them, scanning for vulnerabilities, and proving they haven't been tampered with. Note: dive and lazydocker (runtime tools) live in the Kubernetes toolbox.

Form
Language
Focus
Picks
Skopeo replaces docker pull + docker push for registry-to-registry copies

Copies container images between registries without a Docker daemon and without pulling them to disk. skopeo copy docker://docker.io/nginx:latest docker://my-ecr.dkr.ecr.eu-west-1.amazonaws.com/nginx:latest streams the layers directly. Also inspects image manifests, lists tags, and syncs an entire repository. The right tool for mirroring public images into a private registry as part of an air-gapped or network-policy workflow.

CLI Go mature registry platform
containers/skopeo
Crane replaces docker CLI for image inspection and manipulation

OCI image manipulation tool from Google: pull, push, copy, tag, mutate (add layers, change entrypoint, set labels), and inspect images — all without a running daemon. The Go library underneath (go-containerregistry) is what ko and many other tools build on. crane ls gcr.io/distroless/base lists all tags; crane digest image:tag returns the manifest digest for pinning. Lighter than Skopeo for single-image operations.

CLI Go mature registry platform
google/go-containerregistry
Syft replaces manually tracking what's inside an image

Generates Software Bill of Materials (SBOMs) from container images, filesystems, and directories. syft image:tag -o syclone-json produces a structured list of every package, library, and binary inside the image with version and license. Used as input to Grype (vulnerability scanning) and compliance workflows. SBOM generation is becoming a regulatory requirement for software supply chains — Syft is the OSS standard tool.

CLI Go mature scan platform
anchore/syft
Grype replaces Trivy for Anchore-lineage vulnerability scanning

Vulnerability scanner from Anchore — pairs naturally with Syft since both use the same package model. grype sbom:syft-output.json scans a pre-generated SBOM, enabling the pattern of "generate SBOM once per build, scan it multiple times against updated CVE databases." The Trivy vs Grype choice is mostly about CVE database coverage and integration preference; both are solid. Also in the Security & Compliance department.

CLI Go mature scan platform
anchore/grype
Cosign replaces unsigned container images in production

Image signing and verification via Sigstore. Keyless signing uses OIDC (your CI identity) so there is no key to rotate or leak. cosign sign in CI; cosign verify in admission policy. Pairs with Kyverno or OPA Gatekeeper to enforce that only signed images enter the cluster. Part of the SLSA supply chain security framework. Also in the Security & Compliance department.

CLI Go mature sign platform
sigstore/cosign
*

Grype and Cosign also appear in the Security & Compliance department — the overlap is intentional since their primary use case spans both contexts. dive and lazydocker are in the Kubernetes toolbox since their focus is runtime (what's running, what's consuming resources) rather than supply chain (what's inside the image before it runs).