Loading docker/grype.yml +2 −1 Original line number Diff line number Diff line Loading @@ -7,6 +7,7 @@ variables: GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" GRYPE_EXTRA_ARGS: "" grype: image: registry.gitlab.com/just-ci/images/grype:latest Loading @@ -20,4 +21,4 @@ grype: echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${GRYPE_EXTRA_ARGS} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} pipelines/docker.yml +6 −1 Original line number Diff line number Diff line Loading @@ -24,6 +24,11 @@ image: entrypoint: [""] grype: # this job will fail only for vulnerabilities where there is an update available # users can whitelist vulnerabilities with a grype.yaml file # https://github.com/anchore/grype#specifying-matches-to-ignore before_script: - export GRYPE_IMAGE="${KANIKO_REGISTRY_IMAGE}:${KANIKO_DEV_TAG}" allow_failure: true variables: GRYPE_EXTRA_ARGS: "--only-fixed" GRYPE_FAIL_ON: "low" Loading
docker/grype.yml +2 −1 Original line number Diff line number Diff line Loading @@ -7,6 +7,7 @@ variables: GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" GRYPE_EXTRA_ARGS: "" grype: image: registry.gitlab.com/just-ci/images/grype:latest Loading @@ -20,4 +21,4 @@ grype: echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${GRYPE_EXTRA_ARGS} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}
pipelines/docker.yml +6 −1 Original line number Diff line number Diff line Loading @@ -24,6 +24,11 @@ image: entrypoint: [""] grype: # this job will fail only for vulnerabilities where there is an update available # users can whitelist vulnerabilities with a grype.yaml file # https://github.com/anchore/grype#specifying-matches-to-ignore before_script: - export GRYPE_IMAGE="${KANIKO_REGISTRY_IMAGE}:${KANIKO_DEV_TAG}" allow_failure: true variables: GRYPE_EXTRA_ARGS: "--only-fixed" GRYPE_FAIL_ON: "low"
