Introduction
Grype is a vulnerability scanner for container images and filesystems. This jenkins plugin scans a given target and saves a report as job artifact. Starting from version 1.7, the grype plugin can be integrated with the Warnings Next Generation plugin (minimal version: 10.3.0).
Getting started
This jenkins plugin installs grype in the job workspace directory and performs scan. See section Installation/Recommended for more installation details.
Grype as a build step:
Possible scan targets:
Configure Warnings Next Generation plugin:
Scan result report as job artifact:
Scan results:
Usage in a pipeline, with Warnings Next Generation plugin (minimal version: 10.3.0):
pipeline {
agent {label ''}
stages {
stage('Grype scan') {
steps {
grypeScan scanDest: 'dir:/tmp/grpc', repName: 'myScanResult.txt', autoInstall:true
}
}
}
post {
always {
recordIssues(
tools: [grype()],
aggregatingResults: true,
failedNewAll: 1, //fail if >=1 new issues
failedTotalHigh: 20, //fail if >=20 HIGHs
failedTotalAll : 100, //fail if >=100 issues in total
filters: [
excludeType('CVE-2023-2976'),
excludeType('CVE-2012-17488'),
],
//failOnError: true
)
}
}
}
See https://www.jenkins.io/doc/pipeline/steps/warnings-ng/ for more advanced features.
Acknowledgments
Thanks to Patrick Röder and Thomas Spicker for contributions and creative input!
LICENSE
Licensed under MIT, see LICENSE