This operation will scan a docker image using Grype and return the scan results as plugin outputs. The scan report will also be saved in the reports directory as ScanResults.json so it can be viewed later on. It supports execution on both WINDOWS and LINUX endpoints. Scanning can be done for both locally built and remote images. This is available since 7.0.0.4.
...
Property Name | Property Code | Required | Description |
---|---|---|---|
Registry Account |
| No | The Docker Registry account to use. Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers |
Grype Home |
| No | If it is desired to use an external Grype, fill in the Grype Home here. Otherwise, Grype will be installed automatically for Linux. For Windows this path needs to be specified, if not already set in system Path. Note: For auto installation one must be connected to internet for the plugin operation to be able to download the grype utility. |
Grype Version |
| No | In case of auto install of Grype, the specified version will be considered. If nothing specified, the latest version will be installed. Note: Only valid for Linux. |
...
Input Name | Input Code | Required | Description |
---|---|---|---|
Docker Registry Account |
| No | The Registry to pull the image to be scanned from. There are a couple different spots to specify this for convenience. In order of precedence:
Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers |
Docker Image Name |
| Yes | The full name of the image in the format: <ImageName>:<Tag>. Example: alpine:latest.
|
Scan Fail Condition |
| No | Specify the severity levels in CSV format for which the scan status should show as Fail.e.g: critical,high. Note: it is case-insensitive. Single or multiple values in comma separated format is supported. |
Grype Configuration File |
| No | Specify the path for an optional configuration yaml file to use when scanning. If absolute paths are not provided, then it is relative to the FD_ARTIFACTS_DIR directory. |
Show Output in log |
| No | Show scan result in tabular format in plugin execution log. Default: True |
Additional Arguments |
| No | If any other arguments need to be passed for Grype execution. e.g: --scope all-layers. |
...
Severity: CVE Id severity.
Message: The code paths affected by the CVE.
Scan Rule: Concatenated value of CVE Id and CVE namespace (found in the scan-results.json file under vulnerability segment).
Scan Component: Concatenated and colon separated value of Artifact name, artifact Id and artifact version (found in the scan-results.json file under artifacts segment).
...