Loading container/grype.yml +11 −8 Original line number Diff line number Diff line Loading @@ -15,19 +15,22 @@ variables: - | TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} echo "[*] Target image: ${TARGET_IMAGE}" - wget -O- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -O- https://raw.githubusercontent.com/anchore/grype/main/install.sh | - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -qO- https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # 0) get the SBOM from syft - syft packages ${TARGET_IMAGE} -o json > syft.json - syft packages ${TARGET_IMAGE} -o json > ${CI_PROJECT_DIR}/syft.json # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:syft.json --output=table --file grype.txt - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. - cat grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 - cat ${CI_PROJECT_DIR}/grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD - grype sbom:syft.json --output=table --file grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} artifacts: paths: - syft.json Loading Loading
container/grype.yml +11 −8 Original line number Diff line number Diff line Loading @@ -15,19 +15,22 @@ variables: - | TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}} echo "[*] Target image: ${TARGET_IMAGE}" - wget -O- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -O- https://raw.githubusercontent.com/anchore/grype/main/install.sh | - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -qO- https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # 0) get the SBOM from syft - syft packages ${TARGET_IMAGE} -o json > syft.json - syft packages ${TARGET_IMAGE} -o json > ${CI_PROJECT_DIR}/syft.json # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:syft.json --output=table --file grype.txt - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. - cat grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 - cat ${CI_PROJECT_DIR}/grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD - grype sbom:syft.json --output=table --file grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} artifacts: paths: - syft.json Loading
