While my constant research for pipeline tools, I have found a fantastic security scanner for Docker images. Something you could use quickly under the topic of CI/CD and DevSecOps for your development. It’s named anchore/grype and the best it’s Open source, really fast and delivers many nice options for reports.
Requirements
- Docker installed (to pull images)
Hint: You also can load and scan *.tar archives.
Objective
Short introduction in installation and usage of Grype (locally to evaluate).
Note: The later integration into your pipelines shouldn’t be a problem. I will add the Grype repository to my watchlist and for sure try it out in my pipelines.
Installation and default configuration
This first step should only take a few minutes.
# install the latest version to /usr/local/bin
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# install the latest version to ~/Downloads
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/Downloads
# move binary to /usr/local/bin/grype (if you define different location)
$ mv ~/Downloads/grype /usr/local/bin/grype
# create configuration file
$ vim ~/.grype.yaml
# show help
$ grype --help
I copied the content in short form from the official GitHub repository. You can adapt this to your needs at any time.
check-for-app-update: true
fail-on-severity: ''
output: "table"
scope: "squashed"
quiet: false
db:
auto-update: true
cache-dir: "~/.grype/db"
update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
log:
file: ""
level: "error"
structured: false
Prepare the database
The Anchore Feed Service provides regular updates about publicly available vulnerabilities. In this section I will guide you to derive the updates manually.
# check database status (optional)
$ grype db status
# check feed service for new updates
$ grype db check
# run database update
$ grype db update
# verify db files (optional)
$ ls -la ~/.grype/db/
Usage examples
Even as the usage of Grype is very simple, here some short examples.
# scan image with configuration settings
$ grype node
# scans for vulnerabilities on all image layer and set output format
$ grype --scope all-layers -o cyclonedx node
# stop if a severity high is found with exit code 1
$ grype --fail-on high node
# show last exit status (optional)
$ echo $?
To stop your validation/pipeline on certain severities of security risks (exit code 1), you can choose between following options: negligible
, low
, medium
, high
& critical
.
Hint: To save the reports you could use the redirect, to the output stream to a file.
Clean up
Don’t forget to clean up your system!
# list all Docker images (optional)
$ docker images
# delete specific Docker image by name
$ docker rmi node