Vulnerability Scanning in GitHub CI/CD Workflow using Grype

GitHub Actions CI/CD pipeline with Grype

What is Grype?

Grype is a vulnerability scanner for container images and filesystems. It’s processor is Anchore engine. Grype can scan a directory, container image or SBOM file.

Grype can be used in a CI/CD workflow to find out security issues in git PRs or to check main/master branches with scheduled workflow runs. When using in GitHub action workflow, you can use our Grype-based action to run vulnerability scans on code or container images during your CI workflows.

By default, it forces a workflow to fail when it finds vulnerabilities, we can disable this option and produce ‘sarif’ output and write ‘sarif’ output file to GitHub security.

In this quick start demo we are going to use a simple python application using Flask framework.

To demonstrate how Grype detects vulnerabilities, we are intentionally using a Flask package which has High CVE vulnerabilities in our codebase and a python:3.5 base image which has lot of vulnerabilities.

you can clone the demo repo locally to take a closer look.

we are going to use following workflow definition(.github/workflows/anchore-grype-scan.yml) for Grype security scanning as a GitHub action. This will scan root folder of actions base image after checkout, scan results are added to GitHub Security, in other step it will build a container image and scan it. Image scan results are also written to GitHub security by using sarif output.

name: anchore-grype-scanning

    branches: [ "master" ]
    branches: [ "master" ]
    - cron: '41 16 * * 0'

permissions: write-all

    runs-on: ubuntu-latest
    name: Anchore grype security scan
    - name: Checkout
      uses: actions/checkout@v2
    - name: Scan current project
      id: scan
      uses: anchore/scan-action@v2
        path: "./"
        fail-build: true
        acs-report-enable: true
    - name: upload Anchore scan SARIF report
      uses: github/codeql-action/upload-sarif@v1
        sarif_file: ${{ steps.scan.outputs.sarif }}
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1

    - name: build local container
      uses: docker/build-push-action@v2
        tags: devops-counsel/anchore-demo:latest
        push: false
        load: true

    - name: Scan image
      uses: anchore/scan-action@v3
      id: imagescan
        image: "devops-counsel/anchore-demo:latest"
        acs-report-enable: "true"
        fail-build: false

    - name: upload Anchore Image scan SARIF report
      uses: github/codeql-action/upload-sarif@v1
        sarif_file: ${{ steps.imagescan.outputs.sarif }}

When we commit the code, GitHub actions will trigger a workflow for Grype security scanning. see below screen shot.

github actions

you can see workflow steps and container scan log details.

github action log

Under Security tab you can see there are 215 alerts.

github security

Click on “Code scanning alerts” to see the last scan results and open issues.

github security issues created Grype scanning

you can click on each alert and see details of the alert.

github security issue reported by Grype

Once we upgrade Python package version, docker base image version and commit new code, the alert will be closed in “Code scanning alerts” section automatically.

Instead of writing ‘sarif’ output to GitHub security, we can remove ‘fail-build: false‘ setting so it will force the workflow to fail.


In this quick demo, we have covered what is Grype and how to use it to scan a directory and Container Image. For further information you can read official documentation.

Find out about similar Security Scanning Tools:

Security Scanning in GitHub CI/CD workflow using Trivy

Security Vulnerability Scanning on GitHub code repo using CodeQL

Leave a Reply