https://github.com/anchore/grype
Security scanning CLI tool for vulnerabilities, leaked secrets and misconfigurations.
Scans:
- Files for secrets and configuration errors
- Docker images for CVE package vulnerabilities
On Mac, using Homebrew:
brew install grypeOr download the latest binary from GitHub or any specific version using DevOps-Bash-tools script:
install_grype.sh # "$version"which installs to /usr/local/bin/grype, or $HOME/bin/grype if you don't have write permission to /usr/local/bin.
Filesystem scan and exit with code 1 for any HIGH OR CRITICAL level issues:
grype dir:"$dir" --verbose --fail-on 'high'Scan container images:
grype '$docker_image' --verbose --scope all-layers --fail-on 'high'Scan the docker image for a given running container:
grype image "$(docker inspect --format='{{.Image}}' "$container_id_or_name">)" --verbose --scope all-layers --fail-on 'high'Jenkins CI/CD functions for running Grype are available here: