From b3225ee66badbb1c61a25f7547be489d6e2c4c21 Mon Sep 17 00:00:00 2001
From: Ben <ben@armosec.io>
Date: Tue, 21 Apr 2026 16:03:05 +0300
Subject: [PATCH 1/4] perf: disable file-digest/metadata/executable catalogers

These three catalogers iterate every file in the scan tree and dominate
transient allocation, but their outputs are not consumed by the OOM-relevant
SBOM path. Disabling them saves ~200 MB peak RSS on gitlab-ee (main) and
stacks with upstream selective-indexing + binary-prefilter improvements to
~1.12 GB total (vs 1.62 GB baseline, fits 1.5 GB cgroup).
Signed-off-by: Ben <ben@armosec.io>
---
 pkg/sbommanager/v1/sbom_manager.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/sbommanager/v1/sbom_manager.go b/pkg/sbommanager/v1/sbom_manager.go
index 577e4e1a6..2f6d059b9 100644
--- a/pkg/sbommanager/v1/sbom_manager.go
+++ b/pkg/sbommanager/v1/sbom_manager.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/DmitriyVTitov/size"
 	"github.com/anchore/syft/syft"
+	"github.com/anchore/syft/syft/cataloging"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
 	sbomcataloger "github.com/anchore/syft/syft/pkg/cataloger/sbom"
 	"github.com/aquilax/truncate"
@@ -471,6 +472,13 @@ func (s *SbomManager) processContainerWithMetadata(notif containercollection.Pub
 		sbomCfg := syft.DefaultCreateSBOMConfig()
 		sbomCfg.ToolName = "syft"
 		sbomCfg.ToolVersion = s.version
+		sbomCfg = sbomCfg.WithCatalogerSelection(
+			cataloging.NewSelectionRequest().WithRemovals(
+				"file-digest-cataloger",
+				"file-metadata-cataloger",
+				"file-executable-cataloger",
+			),
+		)
 		if s.cfg.EnableEmbeddedSboms {
 			sbomCfg.WithCatalogers(pkgcataloging.NewCatalogerReference(sbomcataloger.NewCataloger(), []string{pkgcataloging.ImageTag}))
 		}

From ca022e243ed7462a9f16f3f8c7873433979d1ae9 Mon Sep 17 00:00:00 2001
From: Ben <ben@armosec.io>
Date: Tue, 28 Apr 2026 10:03:36 +0300
Subject: [PATCH 2/4] deps: switch to kubescape/syft v1.32.0-ks.2 for memory
 reduction

Routes anchore/syft imports to the kubescape fork via replace directive.
The fork carries selective indexing + binary-cataloger pre-filtering on
top of v1.32.0; combined with the file-cataloger disable in the parent
commit, this reduces gitlab-ee scan peak RSS from 1,621 MB to 1,123 MB.

Refs: NAUT-1283
Signed-off-by: Ben <ben@armosec.io>
---
 go.mod | 4 +++-
 go.sum | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index c22bee7f1..8053d3bcd 100644
--- a/go.mod
+++ b/go.mod
@@ -55,6 +55,7 @@ require (
 	go.uber.org/multierr v1.11.0
 	golang.org/x/net v0.53.0
 	golang.org/x/sys v0.43.0
+	golang.org/x/tools v0.43.0
 	gonum.org/v1/plot v0.14.0
 	google.golang.org/grpc v1.80.0
 	google.golang.org/protobuf v1.36.11
@@ -435,7 +436,6 @@ require (
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
-	golang.org/x/tools v0.43.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	google.golang.org/api v0.271.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
@@ -468,3 +468,5 @@ require (
 replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspektor-gadget v0.0.0-20260421100818-fd383d3d7db4
 
 replace github.com/cilium/ebpf => github.com/matthyx/ebpf v0.0.0-20260421101317-8a32d06def6c
+
+replace github.com/anchore/syft => github.com/kubescape/syft v1.32.0-ks.2
diff --git a/go.sum b/go.sum
index 381e31cba..d076c623a 100644
--- a/go.sum
+++ b/go.sum
@@ -179,8 +179,6 @@ github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiE
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
 github.com/anchore/stereoscope v0.1.9 h1:Nhvk8g6PRx9ubaJU4asAhD3fGcY5HKXZCDGkxI2e0sI=
 github.com/anchore/stereoscope v0.1.9/go.mod h1:YkrCtDgz7A+w6Ggd0yxU9q58CerqQFwYARS+F2RvLQQ=
-github.com/anchore/syft v1.32.0 h1:JcX9W+P/Xjv5DNg3TNBtwiEyZommuTaP16/NC9r0Yfo=
-github.com/anchore/syft v1.32.0/go.mod h1:E6Kd4iBM2ljUOUQvSt7hVK6vBwaHkMXwcvBZmGMSY5o=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
@@ -889,6 +887,8 @@ github.com/kubescape/k8s-interface v0.0.207 h1:jX+EqZLjSArw4xa+XMvjnnoK0Q8IxdD2t
 github.com/kubescape/k8s-interface v0.0.207/go.mod h1:WNYUG93aZ5kDmuaRKFLtVhp18Yc6EfaHdD1gLYtVTN4=
 github.com/kubescape/storage v0.0.258 h1:0mL0z3dAmtP1qup7VgoEgwLgbBSROu5oOusBAPeMmus=
 github.com/kubescape/storage v0.0.258/go.mod h1:VHs+xQzvZKE2lJDN8rR1sFmTa43N6XJAcatZ249gviU=
+github.com/kubescape/syft v1.32.0-ks.2 h1:xdUksUmKEyyVKsTfJDYW8Z5HawVJtelsUolPOsWtDx0=
+github.com/kubescape/syft v1.32.0-ks.2/go.mod h1:E6Kd4iBM2ljUOUQvSt7hVK6vBwaHkMXwcvBZmGMSY5o=
 github.com/kubescape/workerpool v0.0.0-20250526074519-0e4a4e7f44cf h1:hI0jVwrB6fT4GJWvuUjzObfci1CUknrZdRHfnRVtKM0=
 github.com/kubescape/workerpool v0.0.0-20250526074519-0e4a4e7f44cf/go.mod h1:Il5baM40PV9cTt4OGdLMeTRRAai3TMfvImu31itIeCM=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=

From b4ae37f829f9d830359e35db2b62d134bab9c689 Mon Sep 17 00:00:00 2001
From: Ben <ben@armosec.io>
Date: Tue, 28 Apr 2026 17:05:28 +0300
Subject: [PATCH 3/4] fix: check dep.Replace for actual fork version; add
 cataloger removals to sidecar

- packageVersion() now returns dep.Replace.Version when present so the fork
  tag (v1.32.0-ks.2) propagates to runtime metadata and version-gating logic
- pkg/sbomscanner/v1/server.go: add the same WithCatalogerSelection/WithRemovals
  as sbom_manager.go so both SBOM paths drop file-digest/metadata/executable
  catalogers and stay in consistent memory behaviour
Signed-off-by: Ben <ben@armosec.io>
---
 pkg/sbommanager/v1/sbom_manager.go |  3 +++
 pkg/sbomscanner/v1/server.go       | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/pkg/sbommanager/v1/sbom_manager.go b/pkg/sbommanager/v1/sbom_manager.go
index 2f6d059b9..3e6e7798b 100644
--- a/pkg/sbommanager/v1/sbom_manager.go
+++ b/pkg/sbommanager/v1/sbom_manager.go
@@ -717,6 +717,9 @@ func packageVersion(name string) string {
 	if ok {
 		for _, dep := range bi.Deps {
 			if dep.Path == name {
+				if dep.Replace != nil && dep.Replace.Version != "" {
+					return dep.Replace.Version
+				}
 				return dep.Version
 			}
 		}
diff --git a/pkg/sbomscanner/v1/server.go b/pkg/sbomscanner/v1/server.go
index 1b105bb28..951f1525a 100644
--- a/pkg/sbomscanner/v1/server.go
+++ b/pkg/sbomscanner/v1/server.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/anchore/syft/syft"
+	"github.com/anchore/syft/syft/cataloging"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
 	sbomcataloger "github.com/anchore/syft/syft/pkg/cataloger/sbom"
 	"github.com/kubescape/go-logger"
@@ -59,6 +60,13 @@ func (s *scannerServer) CreateSBOM(ctx context.Context, req *pb.CreateSBOMReques
 	cfg := syft.DefaultCreateSBOMConfig()
 	cfg.ToolName = "syft"
 	cfg.ToolVersion = s.version
+	cfg = cfg.WithCatalogerSelection(
+		cataloging.NewSelectionRequest().WithRemovals(
+			"file-digest-cataloger",
+			"file-metadata-cataloger",
+			"file-executable-cataloger",
+		),
+	)
 	if req.EnableEmbeddedSboms {
 		cfg.WithCatalogers(pkgcataloging.NewCatalogerReference(sbomcataloger.NewCataloger(), []string{pkgcataloging.ImageTag}))
 	}
@@ -104,6 +112,9 @@ func packageVersion(name string) string {
 	if ok {
 		for _, dep := range bi.Deps {
 			if dep.Path == name {
+				if dep.Replace != nil && dep.Replace.Version != "" {
+					return dep.Replace.Version
+				}
 				return dep.Version
 			}
 		}

From 5136072f9088c1f6ab3d8cc4b145ac66377ee0d3 Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Wed, 29 Apr 2026 13:47:35 +0200
Subject: [PATCH 4/4] fix: keep syft tool version at required version

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 pkg/sbommanager/v1/sbom_manager.go | 3 ---
 pkg/sbomscanner/v1/server.go       | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/pkg/sbommanager/v1/sbom_manager.go b/pkg/sbommanager/v1/sbom_manager.go
index 3e6e7798b..2f6d059b9 100644
--- a/pkg/sbommanager/v1/sbom_manager.go
+++ b/pkg/sbommanager/v1/sbom_manager.go
@@ -717,9 +717,6 @@ func packageVersion(name string) string {
 	if ok {
 		for _, dep := range bi.Deps {
 			if dep.Path == name {
-				if dep.Replace != nil && dep.Replace.Version != "" {
-					return dep.Replace.Version
-				}
 				return dep.Version
 			}
 		}
diff --git a/pkg/sbomscanner/v1/server.go b/pkg/sbomscanner/v1/server.go
index 951f1525a..360d67c70 100644
--- a/pkg/sbomscanner/v1/server.go
+++ b/pkg/sbomscanner/v1/server.go
@@ -112,9 +112,6 @@ func packageVersion(name string) string {
 	if ok {
 		for _, dep := range bi.Deps {
 			if dep.Path == name {
-				if dep.Replace != nil && dep.Replace.Version != "" {
-					return dep.Replace.Version
-				}
 				return dep.Version
 			}
 		}