Integrate Grype with Container Scanning
Why are we doing this work
The GitLab container scanning analyzer currently relies on Trivy to perform the scan.
This feature provides the option to use Grype as the scanner in the GitLab analyzer.
Relevant links
- Comment thread discussing Anchore Engine and Grype
- Dan and Thiago 2021-03-29 meeting notes (internal link)
Non-functional requirements
-
Documentation: update existing documentation to provide instructions on how to enable Grype as a scanner. Add instructions on how to access Grype-specific settings/features and link to upstream documentation where necessary. - [-] Feature flag: not necessary since the default scanner won't be changed from Trivy as part of this issue
- [-] Performance: not necessary
-
Testing: existing tests are executed for Grype. -
Other -
Grype can run in offline (air-gapped) environments. This means the vulnerability database must be bundled with the analyzer image. -
Grype produces a report that can be ingested by artifacts:reports:container_scanning. -
Grype can scan an image given a docker registry address (or the analyzer is updated to make the image available to Grype as a local file). There is no dependency on access to a Docker host.
-
Implementation plan
-
Map container scanning integration variables to Grype configuration and/or execution options. -
Update build pipeline to produce two images: current ( trivy) and Grype (grype) with the appropriate tags. -
TBC pre-fetch image so it's available as an image to Grype -
Execute scan and produce report -
Introduce environment variable to switch scanner to Grype
/cc @sam.white @ngaskill