This topic gives you an example of how to configure an ImageVulnerabilityScan
(IVS) for Grype.
This section contains a sample IVS that uses Grype to scan a targeted image and push the results to the specified registry location. For information about the IVS specification, see Configuration options.
apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
name: grype-ivs
annotations:
app-scanning.apps.tanzu.vmware.com/scanner-name: Grype
spec:
image: TARGET-IMAGE
scanResults:
location: registry/project/scan-results
serviceAccountNames:
publisher: publisher
scanner: scanner
steps:
- name: grype
image: GRYPE-SCANNER-IMAGE
args:
- -o
- cyclonedx-json
- registry:$(params.image)
- --file
- /workspace/scan-results/scan.cdx.json
env:
- name: GRYPE_ADD_CPES_IF_NONE
value: "false"
- name: GRYPE_EXCLUDE
- name: GRYPE_SCOPE
Where:
TARGET-IMAGE
is the image to scan. You must specify the digest.GRYPE-SCANNER-IMAGE
is the image containing the Grype CLI. For example, anchore/grype:latest
. For information about publicly available Grype images, see DockerHub. For more information about using the Grype CLI, see the Grype documentation.The recommended storageSize
for Grype scans is 4Gi because of the size of the Grype database. If the storageSize
is not sufficient, you might encounter an error indicating insufficient space when initializing the database in the scan pod.
Update app-scanning-values-file.yaml
for the app-scanning.apps.tanzu.vmware.com
package to change the default storageSize
. For more information, see installation documentation.
scans:
workspace:
storageSize: 4Gi
If you do not want to set a default storageSize
by updating app-scanning-values-file.yaml
, you must specify the spec.workspace.size
when creating each standalone ImageVulnerabilityScan
or embedded the ImageVulnerabilityScan
in a ClusterImageTemplate.
CautionAs a publicly maintained image that is built outside of VMware build systems, the image might not meet the security standards VMware established. Review the image before use to ensure that it meets your organization’s security and compliance policies. For the publicly available Grype scanner CLI image, the CLI commands and parameters used are accurate at the time of documentation.