It’s the middle of winter, and all the usual elderly folks are now vaccinated against the flu. That’s great, Raoult Raoul!
But have you thought about the health of your Docker images? Yes, because by downloading numerous old and unmaintained containers, you unknowingly introduce vulnerabilities into your containers.
So, how do you find out about these vulnerabilities? Well, thanks to Grype. It’s not a virus but an incredible vulnerability scanner that can scan Docker, OCI, and Singularity container images and file systems.
To install it, you can download the binary from GitHub or run the following Curl command:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
If you’re on a Mac, besides being a handsome guy, you can also install it with Brew:
brew tap anchore/grype
brew install grype
Then, to launch it, nothing could be simpler. You just call the command, followed by the name of the Docker image as found on hub.docker.com, for example. Here is an example of scanning with this image from the Balena editor:
And to see only the existing vulnerabilities for which there is a fix, you can also add the following parameter:
./grype balena/open-balena-vpn --only-fixed
By default, Grype only scans the visible vulnerabilities of the container. But if you want to conduct a deeper analysis and scan all the layers of the same container, add the following parameter:
./grype balena/open-balena-vpn --scope all-layers
In terms of exports, you can output all this as a table in the terminal, or as a JSON or XML report, and then query it with tools like jq.
Using Grype also allows for a high level of customization. You can define the scope of the search with expressions to include or exclude certain files or directories.
Another major advantage of Grype is its ability to integrate external data sources for better vulnerability matching. For example, it can analyze data from databases such as Alpine Linux SecDB or Debian Linux CVE Tracker to provide you with even more accurate information about potential vulnerabilities in your image.
Speaking of integration, if you’re working with GitHub and using GitHub Actions, Grype integrates seamlessly to run vulnerability scans during your CI workflows, keeping your code and containers safe every step of the way.
In short, Grype is an essential tool for anyone who wants to ensure the security and integrity of their Docker images and beyond. Whether it’s identifying vulnerabilities or taking advantage of advanced features such as external data sources and GitHub action integration, Grype is a valuable ally in the ongoing fight against potential vulnerabilities that can compromise your infrastructure.