Loading container/readme.md +22 −7 Original line number Diff line number Diff line Loading @@ -36,12 +36,17 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b grype:subdir_b: extends: .grype syft:subdir_b: extends: .syft variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b ``` ### Two Dockerfiles in two subdirectories Loading @@ -59,7 +64,7 @@ monorepo_subdir The first `Dockerfile`'s context can be set with just the variable. For every subsequent `Dockerfile`, you need to create jobs which extend `.kaniko` and `.grype`. The example below shows how. `.syft`. The example below shows how. ```yaml --- Loading @@ -76,12 +81,17 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b grype:subdir_b: extends: .grype syft:subdir_b: extends: .syft variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b ``` You can have as many subdirectories and Dockerfiles as you want. They can even Loading Loading @@ -112,12 +122,17 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b grype:subdir_b: extends: .grype syft:subdir_b: extends: .syft variables: IMAGE_NAME: subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b ``` ## Multiple architectures Loading container/grype.yml→container/syft.yml +34 −0 Original line number Diff line number Diff line --- include: - local: security/trivy.yml variables: SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD} GRYPE_FAIL_ON_THRESHOLD: critical GRYPE_EXTRA_ARGS: "" GRYPE_DEFAULT_ARGS: --only-fixed GRYPE_CVE_BLACKLIST_REGEX: CVE-xxx .grype: .syft: image: docker.io/alpine:3 stage: test script: Loading @@ -17,28 +16,19 @@ variables: echo "[*] Target image: ${TARGET_IMAGE}" - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -qO- https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # 0) get the SBOM from syft - syft packages ${TARGET_IMAGE} -o json > ${CI_PROJECT_DIR}/syft.json # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. - cat ${CI_PROJECT_DIR}/grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} artifacts: paths: - syft.json - grype.txt when: always allow_failure: true grype: extends: .grype syft: extends: .syft needs: - image:build trivy:image: extends: .trivy:sbom variables: TRIVY_TARGET: syft.json needs: - syft pipelines/container.yml +4 −1 Original line number Diff line number Diff line Loading @@ -4,9 +4,12 @@ include: - local: container/kaniko.yml - local: container/buildah.yml - local: container/docker.yml - local: container/grype.yml - local: container/syft.yml # set the project container dev image to the image for all jobs without a job-level default image image: name: ${IMAGE_NAME}:${IMAGE_DEV_TAG} entrypoint: [""] trivy:image: allow_failure: true tests/jobs/container.yml +1 −3 Original line number Diff line number Diff line Loading @@ -5,7 +5,5 @@ include: variables: IMAGE_CONTEXT: tests/mockup_projects/container/polyrepo grype: variables: GRYPE_FAIL_ON_THRESHOLD: "" syft: allow_failure: false tests/pipelines/container/monorepo.yml +11 −7 Original line number Diff line number Diff line Loading @@ -2,9 +2,6 @@ include: - local: pipelines/container.yml variables: GRYPE_FAIL_ON_THRESHOLD: "" image:build: variables: IMAGE_CONTEXT: ${CI_PROJECT_DIR}/tests/mockup_projects/container/monorepo/image_A # Absolute path Loading @@ -16,17 +13,24 @@ image:image_B: IMAGE_CONTEXT: tests/mockup_projects/container/monorepo/image_B/ # Relative path with a slash IMAGE_NAME: ${CI_REGISTRY_IMAGE}/its_here/image_b grype: syft: variables: IMAGE_CONTEXT: tests/mockup_projects/container/monorepo/image_A # Relative path IMAGE_NAME: ${CI_REGISTRY_IMAGE}/image_a allow_failure: false grype:image_B: extends: .grype syft:image_B: extends: .syft variables: IMAGE_CONTEXT: ${CI_PROJECT_DIR}/tests/mockup_projects/container/monorepo/image_B # Absolute path IMAGE_NAME: ${CI_REGISTRY_IMAGE}/its_here/image_b needs: - image:image_B trivy:image: allow_failure: false trivy:image:subdir_b: extends: trivy:image needs: - syft:image_B allow_failure: false Loading
container/readme.md +22 −7 Original line number Diff line number Diff line Loading @@ -36,12 +36,17 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b grype:subdir_b: extends: .grype syft:subdir_b: extends: .syft variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b ``` ### Two Dockerfiles in two subdirectories Loading @@ -59,7 +64,7 @@ monorepo_subdir The first `Dockerfile`'s context can be set with just the variable. For every subsequent `Dockerfile`, you need to create jobs which extend `.kaniko` and `.grype`. The example below shows how. `.syft`. The example below shows how. ```yaml --- Loading @@ -76,12 +81,17 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b grype:subdir_b: extends: .grype syft:subdir_b: extends: .syft variables: IMAGE_NAME: ${CI_REGISTRY_IMAGE}/subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b ``` You can have as many subdirectories and Dockerfiles as you want. They can even Loading Loading @@ -112,12 +122,17 @@ image:build:subdir_b: variables: IMAGE_CONTEXT: subdir_b grype:subdir_b: extends: .grype syft:subdir_b: extends: .syft variables: IMAGE_NAME: subdir_b needs: - image:build:subdir_b # Optional, but may speed up your pipeline trivy:image:subdir_b: extends: trivy:image needs: - syft:subdir_b ``` ## Multiple architectures Loading
container/grype.yml→container/syft.yml +34 −0 Original line number Diff line number Diff line --- include: - local: security/trivy.yml variables: SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD} GRYPE_FAIL_ON_THRESHOLD: critical GRYPE_EXTRA_ARGS: "" GRYPE_DEFAULT_ARGS: --only-fixed GRYPE_CVE_BLACKLIST_REGEX: CVE-xxx .grype: .syft: image: docker.io/alpine:3 stage: test script: Loading @@ -17,28 +16,19 @@ variables: echo "[*] Target image: ${TARGET_IMAGE}" - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - wget -qO- https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # 0) get the SBOM from syft - syft packages ${TARGET_IMAGE} -o json > ${CI_PROJECT_DIR}/syft.json # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. - cat ${CI_PROJECT_DIR}/grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file ${CI_PROJECT_DIR}/grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} artifacts: paths: - syft.json - grype.txt when: always allow_failure: true grype: extends: .grype syft: extends: .syft needs: - image:build trivy:image: extends: .trivy:sbom variables: TRIVY_TARGET: syft.json needs: - syft
pipelines/container.yml +4 −1 Original line number Diff line number Diff line Loading @@ -4,9 +4,12 @@ include: - local: container/kaniko.yml - local: container/buildah.yml - local: container/docker.yml - local: container/grype.yml - local: container/syft.yml # set the project container dev image to the image for all jobs without a job-level default image image: name: ${IMAGE_NAME}:${IMAGE_DEV_TAG} entrypoint: [""] trivy:image: allow_failure: true
tests/jobs/container.yml +1 −3 Original line number Diff line number Diff line Loading @@ -5,7 +5,5 @@ include: variables: IMAGE_CONTEXT: tests/mockup_projects/container/polyrepo grype: variables: GRYPE_FAIL_ON_THRESHOLD: "" syft: allow_failure: false
tests/pipelines/container/monorepo.yml +11 −7 Original line number Diff line number Diff line Loading @@ -2,9 +2,6 @@ include: - local: pipelines/container.yml variables: GRYPE_FAIL_ON_THRESHOLD: "" image:build: variables: IMAGE_CONTEXT: ${CI_PROJECT_DIR}/tests/mockup_projects/container/monorepo/image_A # Absolute path Loading @@ -16,17 +13,24 @@ image:image_B: IMAGE_CONTEXT: tests/mockup_projects/container/monorepo/image_B/ # Relative path with a slash IMAGE_NAME: ${CI_REGISTRY_IMAGE}/its_here/image_b grype: syft: variables: IMAGE_CONTEXT: tests/mockup_projects/container/monorepo/image_A # Relative path IMAGE_NAME: ${CI_REGISTRY_IMAGE}/image_a allow_failure: false grype:image_B: extends: .grype syft:image_B: extends: .syft variables: IMAGE_CONTEXT: ${CI_PROJECT_DIR}/tests/mockup_projects/container/monorepo/image_B # Absolute path IMAGE_NAME: ${CI_REGISTRY_IMAGE}/its_here/image_b needs: - image:image_B trivy:image: allow_failure: false trivy:image:subdir_b: extends: trivy:image needs: - syft:image_B allow_failure: false
