GrypeScanner

Introduction

Grype is a vulnerability scanner for container images and filesystems. This jenkins plugin scans a given target and saves a report as job artifact. Starting from version 1.7, the grype plugin can be integrated with the Warnings Next Generation plugin (minimal version: 10.3.0).

Grype plugin

Getting started

This jenkins plugin installs grype in the job workspace directory and performs scan. See section Installation/Recommended for more installation details.

Grype as a build step:

Grype plugin

Grype plugin

Possible scan targets:

Grype plugin

Grype plugin

Scan result report as job artifact:

Grype plugin

Scan results:

Grype plugin

Grype plugin

Usage in a pipeline, with Warnings Next Generation plugin (minimal version: 10.3.0):

 pipeline {
  agent {label ''}
  stages {
     stage('Grype scan') {
      steps {
       grypeScan scanDest: 'dir:/tmp/grpc', repName: 'myScanResult.txt', autoInstall:true
      }
    }
  }

post {
    always {
        recordIssues(
          tools: [grype()],
          aggregatingResults: true,
          failedNewAll: 1, //fail if >=1 new issues
          failedTotalHigh: 20, //fail if >=20 HIGHs
          failedTotalAll : 100, //fail if >=100 issues in total
          filters: [
            excludeType('CVE-2023-2976'),
            excludeType('CVE-2012-17488'),
          ],
          //failOnError: true
        )
    }
  }
}

See https://www.jenkins.io/doc/pipeline/steps/warnings-ng/ for more advanced features.

Acknowledgments

Thanks to Patrick Röder and Thomas Spicker for contributions and creative input!

LICENSE

Licensed under MIT, see LICENSE