/grype-orb

A simple CircleCI orb used to install Grype and perform vulnerability scans

Primary LanguageShellMIT LicenseMIT

Grype Orb

CircleCI Grype Orb

An orb for simplifying Grype installation and performing vulnerability scans within CircleCI.

CircleCI Build Status CircleCI Orb Version GitHub License CircleCI Community

This is an unofficial Grype orb used for installing Grype in your CircleCI pipeline and performing vulnerability scans of your container images. Contributions are welcome!

Features

Secure By Design

  • Least Privilege: Installs to a user-owned directory by default, with no sudo usage anywhere in this orb.
  • Integrity: Checksum validation of all downloaded binaries using SHA-512.
  • Provenance: Installs directly from Grype's official releases page on GitHub. No third-party websites, domains, or proxies are used.
  • Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
  • Privacy: No usage data of any kind is collected or shipped back to the orb developer.

Info for security teams:

  • Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
    • github.com: For download and installation of the Grype tool.
    • toolbox-data.anchore.io: For updating the vulnerability database.

Example Usage

version: 2.1

orbs:
  grype: juburr/grype-orb@0.3.6

parameters:
  cimg_base_version:
    type: string
    default: "current-22.04"
  grype_version:
    type: string
    default: "0.82.1"

jobs:
  scan_container:
    docker:
      - image: cimg/base:<< pipeline.parameters.cimg_base_version >>
    parameters:
      image:
        type: string
        description: "container image to scan"
    steps:
      - checkout
      - grype/install:
          caching: true
          verify_checksums: strict
          version: << pipeline.parameters.grype_version >>
      - grype/log_version
      - grype/update_database
      - grype/scan_image:
          fail_on: critical
          image: gcr.io/distroless/base:latest
          output_file: gcr.distroless.base.grype.sarif
          output_format: sarif
      - run:
          name: Log Scan Results
          command: cat gcr.distroless.base.grype.sarif