An orb for simplifying Grype installation and performing vulnerability scans within CircleCI.
This is an unofficial Grype orb used for installing Grype in your CircleCI pipeline and performing vulnerability scans of your container images. Contributions are welcome!
- Least Privilege: Installs to a user-owned directory by default, with no
sudousage anywhere in this orb. - Integrity: Checksum validation of all downloaded binaries using SHA-512.
- Provenance: Installs directly from Grype's official releases page on GitHub. No third-party websites, domains, or proxies are used.
- Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
- Privacy: No usage data of any kind is collected or shipped back to the orb developer.
Info for security teams:
- Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
github.com: For download and installation of the Grype tool.toolbox-data.anchore.io: For updating the vulnerability database.
version: 2.1
orbs:
grype: juburr/[email protected]
parameters:
cimg_base_version:
type: string
default: "current-22.04"
grype_version:
type: string
default: "0.85.0"
jobs:
scan_container:
docker:
- image: cimg/base:<< pipeline.parameters.cimg_base_version >>
parameters:
image:
type: string
description: "container image to scan"
steps:
- checkout
- grype/install:
caching: true
verify_checksums: strict
version: << pipeline.parameters.grype_version >>
- grype/log_version
- grype/update_database
- grype/scan_image:
fail_on: critical
image: gcr.io/distroless/base:latest
output_file: gcr.distroless.base.grype.sarif
output_format: sarif
- run:
name: Log Scan Results
command: cat gcr.distroless.base.grype.sarif