This is an unofficial Grype orb used for installing Grype in your CircleCI pipeline and performing vulnerability scans of your container images. Contributions are welcome!
- Least Privilege: Installs to a user-owned directory by default, with no
sudo
usage anywhere in this orb. - Integrity: Checksum validation of all downloaded binaries using SHA-512.
- Provenance: Installs directly from Grype's official releases page on GitHub. No third-party websites, domains, or proxies are used.
- Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
- Privacy: No usage data of any kind is collected or shipped back to the orb developer.
Info for security teams:
- Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
github.com
: For download and installation of the Grype tool.toolbox-data.anchore.io
: For updating the vulnerability database.
version: 2.1
orbs:
grype: juburr/grype-orb@0.3.6
parameters:
cimg_base_version:
type: string
default: "current-22.04"
grype_version:
type: string
default: "0.82.1"
jobs:
scan_container:
docker:
- image: cimg/base:<< pipeline.parameters.cimg_base_version >>
parameters:
image:
type: string
description: "container image to scan"
steps:
- checkout
- grype/install:
caching: true
verify_checksums: strict
version: << pipeline.parameters.grype_version >>
- grype/log_version
- grype/update_database
- grype/scan_image:
fail_on: critical
image: gcr.io/distroless/base:latest
output_file: gcr.distroless.base.grype.sarif
output_format: sarif
- run:
name: Log Scan Results
command: cat gcr.distroless.base.grype.sarif