Loading container/grype.yml +6 −8 Original line number Diff line number Diff line --- include: - local: container/image.yml variables: SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} Loading @@ -15,14 +12,15 @@ variables: image: docker.io/alpine:3 stage: test script: - !reference [".image:name", script] - | TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} echo "[*] Target image: ${TARGET_IMAGE}" - wget -O- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -O- https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - echo "${IMAGE_NAME}:${IMAGE_DEV_TAG}" # 0) get the SBOM from syft - syft packages ${IMAGE_NAME}:${IMAGE_DEV_TAG} -o json > syft.json - syft packages ${TARGET_IMAGE} -o json > syft.json # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:syft.json --output=table --file grype.txt # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. Loading @@ -36,8 +34,8 @@ variables: - grype.txt when: always allow_failure: true needs: - image:build grype: extends: .grype needs: - image:build container/readme.md +6 −0 Original line number Diff line number Diff line Loading @@ -40,6 +40,8 @@ grype:subdir_b: extends: .grype variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline ``` ### Two Dockerfiles in two subdirectories Loading Loading @@ -78,6 +80,8 @@ grype:subdir_b: extends: .grype variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline ``` You can have as many subdirectories and Dockerfiles as you want. They can even Loading Loading @@ -112,4 +116,6 @@ grype:subdir_b: extends: .grype variables: IMAGE_NAME: subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline ``` Loading
container/grype.yml +6 −8 Original line number Diff line number Diff line --- include: - local: container/image.yml variables: SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} Loading @@ -15,14 +12,15 @@ variables: image: docker.io/alpine:3 stage: test script: - !reference [".image:name", script] - | TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} echo "[*] Target image: ${TARGET_IMAGE}" - wget -O- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -O- https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - echo "${IMAGE_NAME}:${IMAGE_DEV_TAG}" # 0) get the SBOM from syft - syft packages ${IMAGE_NAME}:${IMAGE_DEV_TAG} -o json > syft.json - syft packages ${TARGET_IMAGE} -o json > syft.json # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:syft.json --output=table --file grype.txt # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. Loading @@ -36,8 +34,8 @@ variables: - grype.txt when: always allow_failure: true needs: - image:build grype: extends: .grype needs: - image:build
container/readme.md +6 −0 Original line number Diff line number Diff line Loading @@ -40,6 +40,8 @@ grype:subdir_b: extends: .grype variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline ``` ### Two Dockerfiles in two subdirectories Loading Loading @@ -78,6 +80,8 @@ grype:subdir_b: extends: .grype variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline ``` You can have as many subdirectories and Dockerfiles as you want. They can even Loading Loading @@ -112,4 +116,6 @@ grype:subdir_b: extends: .grype variables: IMAGE_NAME: subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline ```
