• Stars
    star
    157
  • Rank 238,399 (Top 5 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created about 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Anchore container analysis and scan provided as a GitHub Action

GitHub Action for Vulnerability Scanning

Test Status GitHub release License: Apache-2.0 Slack Invite

âš¡ Find threats in files or containers at lightning speed âš¡

This is a GitHub Action for invoking the Grype scanner and returning the vulnerabilities found, and optionally fail if a vulnerability is found with a configurable severity level.

Use this in your workflows to quickly verify files or containers' content after a build and before pushing, allowing PRs, or deploying updates.

The action invokes the grype command-line tool, with these benefits:

  • Runs locally, without sending data outbound - no credentials required!
  • Speedy scan operations
  • Scans both paths and container images
  • Easy failure evaluation depending on vulnerability severity

The example workflows have lots of usage examples for scanning both containers and directories.

By default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:

Supported Linux Distributions:

  • Alpine
  • BusyBox
  • CentOS and RedHat
  • Debian and Debian-based distros like Ubuntu

Supported packages and libraries:

  • Ruby Bundles
  • Python Wheel, Egg, requirements.txt
  • JavaScript NPM/Yarn
  • Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
  • Go modules

Container scanning

The simplest workflow for scanning a localbuild/testimage container:

- name: Set up Docker Buildx
  uses: docker/setup-buildx-action@v1

- name: build local container
  uses: docker/build-push-action@v2
  with:
    tags: localbuild/testimage:latest
    push: false
    load: true

- name: Scan image
  uses: anchore/scan-action@v3
  with:
    image: "localbuild/testimage:latest"

Directory scanning

To scan a directory, add the following step:

- name: Scan current project
  uses: anchore/scan-action@v3
  with:
    path: "."

The path key allows any valid path for the current project. The root of the path ("." in this example) is the repository root.

Scanning an SBOM file

Use the sbom key to scan an SBOM file:

- name: Create SBOM
  uses: anchore/sbom-action@v0
  with:
    format: spdx-json
    output-file: "${{ github.event.repository.name }}-sbom.spdx.json"

- name: Scan SBOM
  uses: anchore/scan-action@v3
  with:
    sbom: "${{ github.event.repository.name }}-sbom.spdx.json"

Failing a build on vulnerability severity

By default, if any vulnerability at medium or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the severity-cutoff field to one of low, high, or critical:

With a different severity level:

- name: Scan image
  uses: anchore/scan-action@v3
  with:
    image: "localbuild/testimage:latest"
    fail-build: true
    severity-cutoff: critical

Optionally, change the fail-build field to false to avoid failing the build regardless of severity:

- name: Scan image
  uses: anchore/scan-action@v3
  with:
    image: "localbuild/testimage:latest"
    fail-build: false

Action Inputs

The inputs image, path, and sbom are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:

Input Name Description Default Value
image The image to scan N/A
path The file path to scan N/A
sbom The SBOM to scan N/A
registry-username The registry username to use when authenticating to an external registry
registry-password The registry password to use when authenticating to an external registry
fail-build Fail the build if a vulnerability is found with a higher severity. That severity defaults to medium and can be set with severity-cutoff. true
output-format Set the output parameter after successful action execution. Valid choices are json, sarif, and table, where table output will print to the console instead of generating a file. sarif
severity-cutoff Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". medium
only-fixed Specify whether to only report vulnerabilities that have a fix available. false
add-cpes-if-none Specify whether to autogenerate missing CPEs. false

Action Outputs

Output Name Description Type
sarif Path to the SARIF report file, if output-format is sarif string
json Path to the report file , if output-format is json string

Example Workflows

Assuming your repository has a Dockerfile in the root directory:

name: Container Image CI
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Build the container image
        run: docker build . --file Dockerfile --tag localbuild/testimage:latest
      - uses: anchore/scan-action@v3
        with:
          image: "localbuild/testimage:latest"
          fail-build: true

Same example as above, but with SARIF output format - as is the default, the action will generate a SARIF report, which can be uploaded and then displayed as a Code Scanning Report in the GitHub UI.

💡 Code Scanning is a Github service that is currently in Beta. Follow the instructions on how to enable this service for your project.

name: Container Image CI
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Build the Container image
        run: docker build . --file Dockerfile --tag localbuild/testimage:latest
      - uses: anchore/scan-action@v3
        id: scan
        with:
          image: "localbuild/testimage:latest"
      - name: upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

Optionally, you can add a step to inspect the SARIF report produced:

- name: Inspect action SARIF report
  run: cat ${{ steps.scan.outputs.sarif }}

Additional configuration

You may add a .grype.yaml file at your repository root for more Grype configuration such as ignoring certain matches.

anchore/scan-action/download-grype

A sub-action to download Grype.

Input parameters:

Parameter Description Default
grype-version An optional Grype version to download, defaults to the pinned version in GrypeVersion.js.

Output parameters:

Parameter Description
cmd a reference to the Grype binary.

cmd can be referenced in a workflow like other output parameters: ${{ steps.<step-id>.outputs.cmd }}

Example usage:

- uses: anchore/scan-action/download-grype@v3
  id: grype
- run: ${{steps.grype.outputs.cmd}} dir:.

Contributing

We love contributions, feedback, and bug reports. For issues with the invocation of this action, file issues in this repository.

For contributing, see Contributing.

More Information

For documentation on Grype itself, including other output capabilities, see the grype project

Connect with the community directly on slack.

Diagnostics

This action makes extensive use of GitHub Action debug logging, which can be enabled as described here by setting a secret in your repository of ACTIONS_STEP_DEBUG to true.

More Repositories

1

grype

A vulnerability scanner for container images and filesystems
Go
5,959
star
2

syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Go
4,261
star
3

anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Python
1,547
star
4

anchore

This project is deprecated. Work is now done on https://github.com/anchore/syft and https://github.com/anchore/grype for local-host Software Bill of Materials and vulnerability scanning tools.
Python
360
star
5

quill

Simple mac binary signing from any platform
Go
190
star
6

sbom-action

GitHub Action for creating software bill of materials using Syft.
TypeScript
113
star
7

anchore-cli

Simple command-line client to the Anchore Engine service
Python
108
star
8

grant

Search an SBOM for licenses and the packages they belong to
Go
58
star
9

kubernetes-admission-controller

Service implementation for a Kubernetes Dynamic Webhook controller for interacting with Anchore
Go
56
star
10

stereoscope

go library for processing container images and simulating a squash filesystem
Go
54
star
11

k8s-inventory

KAI (Kubernetes Automated Inventory) can poll Kubernetes Cluster API(s) to tell Anchore which Images are currently in-use
Go
52
star
12

anchore-charts

Helm charts for Anchore tools and services
Mustache
42
star
13

ci-tools

Contains scripts for running anchore engine in CI pipelines
Shell
34
star
14

chronicle

a fast changelog generator sourced from PRs and Issues
Go
32
star
15

harbor-scanner-adapter

Harbor Scanner Adapter for Anchore Engine and Enterprise
Go
29
star
16

vunnel

Tool for collecting vulnerability data from various sources (used to build the grype database)
Python
26
star
17

grype-db

Go
18
star
18

grype-vscode

Grype vulnerability check plugin for Visual Studio Code
TypeScript
15
star
19

anchore-grafeas-cli

Tool for connecting to an anchore-engine DB and generating grafeas note/occurrence JSON documents
Python
9
star
20

sbom-examples

Repository of SBOMs generated by the syft SBOM generator tool, against a list of popular dockerhub container images.
Python
8
star
21

yardstick

Compare vulnerability scanners results (to make them better!)
Python
5
star
22

vulnerability-match-labels

Labeled vulnerability-package match pairs used as ground truth to evaluate vulnerability scanners
Python
5
star
23

engine-operator

Helm based anchore engine operator
Makefile
4
star
24

test-infra

Contains infrastructure for running functional tests using Helm chart deployments
Python
4
star
25

azure-devops-task

Anchore Task Extension for Azure DevOps Pipelines
TypeScript
4
star
26

client-go

Golang client for Anchore API
Makefile
4
star
27

fangs

Go
2
star
28

go-struct-converter

Go library that provides a set of conversion utilities to help migrate between different versioned Go structs.
Go
2
star
29

ecs-inventory

Go
2
star
30

go-macholibre

Go
2
star
31

homebrew-syft

homebrew tap for syft
Ruby
2
star
32

enterprise-client-go

Go client for enterprise API
Mustache
2
star
33

circleci-orb-grype

Repository for the Grype based CircleCI orb
Shell
2
star
34

test-images

Container automation for testing and validation
Dockerfile
2
star
35

go-logger

Go
1
star
36

engine-db-preload

Some scripting to handling creation of preloaded anchore DB container
Shell
1
star
37

deployment-templates

Repository for example Anchore Engine deployment methods and integrations
1
star
38

homebrew-grype

homebrew tap for grype
Ruby
1
star
39

modular-policy

CLI utility for managing Anchore policy bundles as individual components. Useful for git-based policy management.
Python
1
star