It’s the middle of winter, and all the usual elderly folks are now vaccinated against the flu. That’s great, Raoult Raoul!
But have you thought about the health of your Docker images? Yes, because by downloading numerous old and unmaintained containers, you unknowingly introduce vulnerabilities into your containers.
So, how do you find out about these vulnerabilities? Well, thanks to Grype. It’s not a virus but an incredible vulnerability scanner that can scan Docker, OCI, and Singularity container images and file systems.
This tool is capable of detecting vulnerabilities in containerized operating systems such as Alpine, Amazon Linux, BusyBox, CentOS, Debian, Ubuntu, and also in development languages like Ruby, Java, JavaScript, Python, .NET, Golang, and not forgetting PHP!
To install it, you can download the binary from GitHub or run the following Curl command:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/binIf you’re on a Mac, besides being a handsome guy, you can also install it with Brew:
brew tap anchore/grype
brew install grypeThen, to launch it, nothing could be simpler. You just call the command, followed by the name of the Docker image as found on hub.docker.com, for example. Here is an example of scanning with this image from the Balena editor:
./grype balena/open-balena-vpn
And to see only the existing vulnerabilities for which there is a fix, you can also add the following parameter:
./grype balena/open-balena-vpn --only-fixed
By default, Grype only scans the visible vulnerabilities of the container. But if you want to conduct a deeper analysis and scan all the layers of the same container, add the following parameter:
./grype balena/open-balena-vpn --scope all-layersIn terms of exports, you can output all this as a table in the terminal, or as a JSON or XML report, and then query it with tools like jq.
Using Grype also allows for a high level of customization. You can define the scope of the search with expressions to include or exclude certain files or directories.
Another major advantage of Grype is its ability to integrate external data sources for better vulnerability matching. For example, it can analyze data from databases such as Alpine Linux SecDB or Debian Linux CVE Tracker to provide you with even more accurate information about potential vulnerabilities in your image.
Speaking of integration, if you’re working with GitHub and using GitHub Actions, Grype integrates seamlessly to run vulnerability scans during your CI workflows, keeping your code and containers safe every step of the way.
In short, Grype is an essential tool for anyone who wants to ensure the security and integrity of their Docker images and beyond. Whether it’s identifying vulnerabilities or taking advantage of advanced features such as external data sources and GitHub action integration, Grype is a valuable ally in the ongoing fight against potential vulnerabilities that can compromise your infrastructure.
And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.
Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.
We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
Comments