...
Property Name | Property Code | Required | Description |
|---|---|---|---|
Registry Account |
| No | The Docker Registry account to use. Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers |
Grype Home |
| No | If it is desired to use an external Grype, fill in the Grype Home here. Otherwise, Grype will be installed automatically for Linux. For Windows this path needs to be specified, if not already set in system Path. Note: For auto installation one must be connected to internet for the plugin operation to be able to download the grype utility. |
Grype Version |
| No | In case of auto install of Grype, the specified version will be considered. If nothing specified, the latest version will be installed. Note: Only valid for Linux. |
Outputs
...
Property Name
...
Property Code
...
Required
...
Description
...
Registry Account
...
FDANCR_REGISTRY_ACCOUNT_CODE
...
No
...
The Docker Registry account to use. Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers
...
Grype Home
...
FDANCR_GRYPE_HOME
...
No
...
If it is desired to use an external Grype, fill in the Grype Home here. Otherwise, Grype will be installed automatically for Linux. For Windows this path needs to be specified, if not already set in system Path.
Note: For auto installation one must be connected to internet for the plugin operation to be able to download the grype utility.
...
Grype Version
...
FDANCR_GRYPE_VERSION
...
No
...
In case of auto install of Grype, the specified version will be considered. If nothing specified, the latest version will be installed. Note: Only valid for Linux.
Inputs
Input Name | Input Code | Required | Description |
|---|---|---|---|
Docker Registry Account |
| No | The Registry to pull the image to be scanned from. There are a couple different spots to specify this for convenience. In order of precedence:
Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers |
Docker Image Name |
| Yes | The full name of the image in the format: <ImageName>:<Tag>. Example: alpine:latest. For Remote images it should be the image name include registry name. |
Scan Fail Condition |
| No | Specify the severity levels in CSV format for which the scan status should show as Fail.e.g: critical,high. Note: it is case-insensitive. Single or multiple values in comma separated format is supported. |
Grype Configuration File |
| No | Specify the path for an optional configuration yaml file to use when scanning. If absolute paths are not provided, then it is relative to the FD_ARTIFACTS_DIR directory. |
Show Output in log |
| No | Show scan result in table tabular format in plugin execution log. Default: True |
Additional Arguments |
| No | If any other arguments need to be passed for Grype execution. e.g: --scope all-layers. |
Outputs
Plugin Output | Description | Example |
|---|---|---|
| If | WARN/STOP |
| If | SUCCESS/FAILED |
| An integer count of the number of CRITICAL severity detected for the image. | 2 |
| An integer count of the number of HIGH severity detected for the image. | 10 |
| A full list of all severity counts returned. | 30 |
...
For Linux auto-installation of Grype utility is Supported following the recommended approach by Anchore’s official Github community. If user provides the grype utility path of his choice in FDANCR_GRYPE_HOMEthen plugin operation will consider that path for subsequent execution, otherwise if left blank then it will download the utility following the curl command. The approach here will be similar to what we do for Maven Plugin.
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
...
Note: As mentioned already, this will only be done for Unix system. For windows the utility has to be pre-installed in the system, for which there could be several ways such as: choco install grype or through WSL 2.
...
If user has selected Docker Registry account, then Registry Address, Username, Password/Token will be fetched from that account’s context and be set as environment variable, for the grype command to work. Plugin will utilize DockerPluginExecutionContext’s getDockerRegistry to fetch the details.
Scan Results And Details:
Based on the critical, high, medium, low vulnerabilities discovered during scanning the results will render the view:
Note:
If there is any Grype specific argument that is present in the config file and also specified in the plugin input, then the ones mentioned in the plugin input separately, takes precedence over the content present in the config file. This is inherent feature of Grype utility, that the CLI arguments takes more priority over the same ones mentioned in the configuration file.
Property Replacement is supported in the Configuration yaml however it is strongly advised to not specify credentials details in it and instead one must utilize the Plugin input or Target Group property for Registry Account specification, which points to the account created in Integration → Containers page.
If configuration file has specified default-image-pull-source to “registry” and trying to scan a local image, it won’t work, since Grype will try to pull it from docker hub or remote registry. Please ensure to not specify it in this case.