What is Grype?
Grype is a vulnerability scanner for container images and filesystems. It’s processor is Anchore engine. Grype can scan a directory, container image or SBOM file.
Grype can be used in a CI/CD workflow to find out security issues in git PRs or to check main/master branches with scheduled workflow runs. When using in GitHub action workflow, you can use our Grype-based action to run vulnerability scans on code or container images during your CI workflows.
By default, it forces a workflow to fail when it finds vulnerabilities, we can disable this option and produce ‘sarif’ output and write ‘sarif’ output file to GitHub security.
In this quick start demo we are going to use a simple python application using Flask framework.
To demonstrate how Grype detects vulnerabilities, we are intentionally using a Flask package which has High CVE vulnerabilities in our codebase and a python:3.5 base image which has lot of vulnerabilities.
you can clone the demo repo locally to take a closer look.
we are going to use following workflow definition(.github/workflows/anchore-grype-scan.yml) for Grype security scanning as a GitHub action. This will scan root folder of actions base image after checkout, scan results are added to GitHub Security, in other step it will build a container image and scan it. Image scan results are also written to GitHub security by using sarif output.
name: anchore-grype-scanning
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: '41 16 * * 0'
permissions: write-all
jobs:
anchore_scan_job:
runs-on: ubuntu-latest
name: Anchore grype security scan
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Scan current project
id: scan
uses: anchore/scan-action@v2
with:
path: "./"
fail-build: true
acs-report-enable: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: build local container
uses: docker/build-push-action@v2
with:
tags: devops-counsel/anchore-demo:latest
push: false
load: true
- name: Scan image
uses: anchore/scan-action@v3
id: imagescan
with:
image: "devops-counsel/anchore-demo:latest"
acs-report-enable: "true"
fail-build: false
- name: upload Anchore Image scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.imagescan.outputs.sarif }}
When we commit the code, GitHub actions will trigger a workflow for Grype security scanning. see below screen shot.
you can see workflow steps and container scan log details.
Under Security tab you can see there are 215 alerts.
Click on “Code scanning alerts” to see the last scan results and open issues.
you can click on each alert and see details of the alert.
Once we upgrade Python package version, docker base image version and commit new code, the alert will be closed in “Code scanning alerts” section automatically.
Instead of writing ‘sarif’ output to GitHub security, we can remove ‘fail-build: false‘ setting so it will force the workflow to fail.
Conclusion
In this quick demo, we have covered what is Grype and how to use it to scan a directory and Container Image. For further information you can read official documentation.
Find out about similar Security Scanning Tools:
Security Scanning in GitHub CI/CD workflow using Trivy
Security Vulnerability Scanning on GitHub code repo using CodeQL