This operation will scan a docker image using Grype and return the scan results as plugin outputs. The scan report will also be saved in the reports directory as ScanResults.json so it can be viewed later on. It supports execution on both WINDOWS and LINUX endpoints. Scanning can be done for both locally built and remote images.

Target Properties

Property Name	Property Code	Required	Description

Property Name

Property Code

Required

Description

Registry Account

FDDKR_REGISTRY_ACCOUNT_CODE

No

The Docker Registry account to use. Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers

Grype Home

FDANCR_GRYPE_HOME

No

If it is desired to use an external Grype, fill in the Grype Home here. Otherwise, Grype will be installed automatically for Linux. For Windows this path needs to be specified, if not already set in system Path.

Note: For auto installation one must be connected to internet for the plugin operation to be able to download the grype utility.

Grype Version

FDANCR_GRYPE_VERSION

No

In case of auto install of Grype, the specified version will be considered. If nothing specified, the latest version will be installed. Note: Only valid for Linux.

Inputs

Input Name	Input Code	Required	Description

Input Name	Input Code	Required	Description
Docker Registry Account	`FDDKR_INP_REGISTRY_ACCOUNT_CODE`	No	The Registry to pull the image to be scanned from. There are a couple different spots to specify this for convenience. In order of precedence: This plugin input. Target Property Please refer to the link to set up the Docker Registry Account: Docker Registry Setup For Cloud Providers
Docker Image Name	`FDANCR_INP_IMAGE_NAME`	Yes	The full name of the image in the format: <ImageName>:<Tag>. Example: alpine:latest. For Remote images it should be the image name include registry name. For Local images, please ensure you don’t have Registry Account code anywhere specified in either Target Property or Plugin Input, otherwise Grype will try to fetch the image from Remote registry, which is not applicable for local images at that moment. Note: If `FDANCR_INP_IMAGE_NAME` is specified with preceding “/”, then the registry address from `FDDKR_REGISTRY_ACCOUNT_CODE or FDDKR_INP_REGISTRY_ACCOUNT_CODE` will get auto prepended to `FDANCR_INP_IMAGE_NAME` to form the full image name. Example: If `FDANCR_INP_IMAGE_NAME`=/nginximage and the registry address corresponding to the `FDDKR_REGISTRY_ACCOUNT_CODE` is 898334.dkr.ecr.us-east-1.amazonaws.com, then plugin will consider the image name as 898334.dkr.ecr.us-east-1.amazonaws.com/nginximage.
Scan Fail Condition	`FDANCR_INP_SCAN_SEV_FAIL_CONDITION`	No	Specify the severity levels in CSV format for which the scan status should show as Fail.e.g: critical,high. Note: it is case-insensitive. Single or multiple values in comma separated format is supported.
Grype Configuration File	`FDANCR_INP_CONFIG`	No	Specify the path for an optional configuration yaml file to use when scanning. If absolute paths are not provided, then it is relative to the FD_ARTIFACTS_DIR directory.
Show Output in log	`FDANCR_INP_SHOW_OUTPUT`	No	Show scan result in tabular format in plugin execution log. Default: True
Additional Arguments	`FDANCR_INP_ADDITIONAL_ARGS`	No	If any other arguments need to be passed for Grype execution. e.g: --scope all-layers.

Outputs

Plugin Output	Description	Example

Plugin Output	Description	Example
`FDANCR_OUT_FINAL_ACTION`	If `FDANCR_OUT_STATUS` is FAIL, then this will be set to STOP.	WARN/STOP
`FDANCR_OUT_STATUS`	If `FDANCR_INP_SCAN_FAIL_CONDITION` is provided in the input and matched with the SCAN result, then it is set to FAILED, otherwise SUCCESS.	SUCCESS/FAILED
`FDANCR_OUT_CRITICAL_COUNT`	An integer count of the number of CRITICAL severity detected for the image.	2
`FDANCR_OUT_HIGH_COUNT`	An integer count of the number of HIGH severity detected for the image.	10
`FDANCR_OUT_ALL_COUNT_LIST`	A full list of all severity counts returned.	30

Artifacts

This operation delegates the consume artifacts decision to the workflow developer. Produce artifacts is not supported.

Endpoint Selection

This operation delegates the selection to the workflow developer to determine.

Endpoint Execution

This operations delegates the execution to the workflow developer to decide.

Special Considerations

Grype Installation:

Windows:

For Windows auto-installation of Grype utility is not supported. Hence to be able to do the scan one must pre-install the grype in the windows endpoint (where the scan would be executed) and then provide the path in the FDANCR_GRYPE_HOME target group placeholder. If it is not provided, then execution will assume the utility to be accessed through system path and will try to continue the execution. If it doesn’t find it in PATH too, then the workflow execution will fail.

Linux:

For Linux auto-installation of Grype utility is Supported following the recommended approach by Anchore’s official Github community. If user provides the grype utility path of his choice in FDANCR_GRYPE_HOMEthen plugin operation will consider that path for subsequent execution, otherwise if left blank then it will download the utility following the curl command.

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

In case of auto-install situation in Linux user will have the flexibility to choose specific version by FDANCR_GRYPE_VERSION and plugin will download that version. Example: v0.74.7 etc. If this is left blank and plugin identifies that FDANCR_GRYPE_HOME is also blank, then for Unix OS, it will attempt to auto download the Grype utility of version “latest”.

Note: As mentioned already, this will only be done for Unix system. For windows the utility has to be pre-installed in the system, for which there could be several ways such as: choco install grype or through WSL 2.

Scan Results And Details:

Based on the critical, high, medium, low vulnerabilities discovered during scanning the results will render the view:

On the Scan-Results tab of the Execution we can see the tabular formatted details.

Severity: CVE Id severity.
Message: The code paths affected by the CVE.
Scan Rule: Concatenated value of CVE Id and CVE namespace (found in the scan-results.json file under vulnerability segment).
Scan Component: Concatenated and colon separated value of Artifact name, artifact Id and artifact version (found in the scan-results.json file under artifacts segment).

Note:

If there is any Grype specific argument that is present in the config file and also specified in the plugin input, then the ones mentioned in the plugin input separately, takes precedence over the content present in the config file. This is inherent feature of Grype utility, that the CLI arguments takes more priority over the same ones mentioned in the configuration file.
Property Replacement is supported in the Configuration yaml however it is strongly advised to not specify credentials details in it and instead one must utilize the Plugin input or Target Group property for Registry Account specification, which points to the account created in Integration → Containers page.
If configuration file has specified default-image-pull-source to “registry” and trying to scan a local image, it won’t work, since Grype will try to pull it from docker hub or remote registry. Please ensure to not specify it in this case.
Even though there are open-source utilities available for Grype for execution on Windows based OS, however it is always recommended to do the scanning in Linux based endpoints, as then it directly downloads the officially supported Grype utility available for Linux.

FlexDeploy 9.0

scanImage (Anchore)