⚡ Find threats in files or containers at lightning speed ⚡
This is a GitHub Action for invoking the grype scanner and returning the vulnerabilities found, and optionally fail if a vulnerability is found with a configurable severity level.
Use this in your workflows to quickly verify files or containers' content after a build and before pushing, allowing PRs, or deploying updates.
The action invokes the grype command-line tool, with these benefits:
- Runs locally, without sending data outbound - no credentials required!
- Speedy scan operations
- Scans both paths and container images
- Easy failure evaluation depending on vulnerability severity
The example workflows have lots of usage examples for scanning both containers and directories.
By default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:
Supported Linux Distributions:
- Alpine
- BusyBox
- CentOS and RedHat
- Debian and Debian-based distros like Ubuntu
Supported packages and libraries:
- Ruby Bundles
- Python Wheel, Egg,
requirements.txt - JavaScript NPM/Yarn
- Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
- Go modules
The simplest workflow for scanning a localbuild/testimage container:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: build local container
uses: docker/build-push-action@v2
with:
tags: localbuild/testimage:latest
push: false
load: true
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"To scan a directory, add the following step:
- name: Scan current project
uses: anchore/scan-action@v2
with:
path: "."The path key allows any valid path for the current project. The root of the path ("." in this example) is the repository root.
By default, if any vulnerability at medium or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the severity-cutoff field to one of low, high, or critical:
With a different severity level:
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: true
severity-cutoff: criticalOptionally, change the fail-build field to false to avoid failing the build regardless of severity:
- name: Scan image
uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: falseThe only required key is image; all the other keys are optional. These are all the available keys to configure this action, along with its defaults:
| Input Name | Description | Default Value |
|---|---|---|
image |
The image to scan | N/A |
debug |
Verbose logging output | false |
fail-build |
Fail the build if a vulnerability is found with a higher severity. That severity defaults to "medium" and can be set with severity-cutoff. |
false |
grype-version |
An optional parameter to specify a specific version of grype to use for the scan. Default is the version locked to the scan-action release |
0.1.0 |
acs-report-enable |
Optionally, enable the feature that causes a result.sarif report to be generated after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report. | false |
severity-cutoff |
With ACS reporting enabled, optionally specify the minimum vulnerability severity to trigger an "error" level ACS result. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | "medium" |
| Output Name | Description | Type |
|---|---|---|
| vulnerabilities | Path to a JSON file with the list of vulnerabilities found in image | string |
| sarif | Path to a SARIF report file | string |
As a result of the action, you'll get a JSON file in the anchore-reports directory in the workspace:
vulnerabilities.json- Vulnerabilities found in the image
Assuming your repository has a Dockerfile in the root directory:
name: Container Image CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
with:
image: "localbuild/testimage:latest"
fail-build: true
- name: grype scan JSON results
run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; doneSame example as above, but with Automated Code Scanning (ACS) feature enabled - with this example, the action will generate a SARIF report, which can be uploaded and then displayed as a Code Scanning Report in the GitHub UI.
💡 Code Scanning is a Github service that is currently in Beta. Follow the instructions on how to enable this service for your project.
name: Container Image CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the Container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
id: scan
with:
image: "localbuild/testimage:latest"
acs-report-enable: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}Optionally, you can add a step to inspect the SARIF report produced:
- name: Inspect action SARIF report
run: cat ${{ steps.scan.outputs.sarif }}We love contributions, feedback, and bug reports. For issues with the invocation of this action, file issues in this repository.
For contributing, see Contributing.
For documentation on Grype itself, including other output capabilities, see the grype project
Connect with the community directly on slack. These channels from Anchore's toolbox project are ideal for engaging development of help-related discussions:
- toolbox-dev
- toolbox-help