Skip to content

Latest commit

 

History

History
120 lines (78 loc) · 7.29 KB

anchore.md

File metadata and controls

120 lines (78 loc) · 7.29 KB

Generated API documentation for Anchore rules.

Load these from @com_github_hxtk_rules_anchore//anchore:defs.bzl.

grype_test

grype_test(name, image, sbom, database, ignore_cves, only_fixed, fail_on_severity, scope, kwargs)

Scan a docker image for CVEs.

Uses Anchore Grype to scan a docker image or Anchore Syft SBOM for known vulnerabilities, and fails if vulnerabilities exceeding a severity threshold are found.

The user is required to provide 'name' as well as exactly one of 'image' or 'sbom'. All other fields have sane defaults.

If image is passed in, a syft_sbom rule named [name]_sbom is implicitly created, and the grype_test uses the sbom produced by that target.

All tests created by this macro without a value passed for database will be tagged as 'external' due to their undeclared dependency on Anchore's database.

PARAMETERS

Name Description Default Value
name the name of the label to be created. none
image the complete docker image TAR, compatible with docker save. For a container_image target :foo, this would be :foo.tar, or for a container_pull repository bar, this would be @bar//image:image.tar. Referencing either of those targets directly, e.g., :foo or @bar//image will work by attempting to rewrite the label to tha appropriate TAR file. None
sbom the Anchore Syft SBOM of the image, formatted as JSON. See syft_sbom rule. None
database the Anchore CVE database against which to evaluate the image or SBOM. By default, we download the latest database and load it. None
ignore_cves a list of strings representing CVEs that may exist in the image under test without being considered a failure, regardless of their severity. []
only_fixed if True, ignore any vulnerabilities that do not have fixes available, even if they are above the failure threshold. Defaults to False. False
fail_on_severity the test built by this target shall fail if any CVE is found at this severity or higher. Defaults to "low", which may produce results that users consider to be false positives. "low"
scope if "Squashed", only scan the effective file system of the final image. If "All", scan every file in each layer, including those that are overwritten or deleted in the final image. "Squashed"
kwargs

-

none

grype_updater

grype_updater(name, output, version, repository_name, listing_url, kwargs)

Automatically update Grype database.

Run this target with bazel run to update your Anchore CVE database to be used by these rules using Bazel.

For example, in //:BUILD:

load("com_github_hxtk_rules_anchore//anchore:defs.bzl", "grype_updater")

grype_updater(
    name = "update_grype",
    output = "deps.bzl%grype_db",
)

PARAMETERS

Name Description Default Value
name the name of the label to be created. This is the target you will invoke with bazel run. none
output the WORKSPACE or macro file in which the repository rule shall be defined. If a macro file is specified, use "%" followed by some name to indicate the name of the macro to be created, e.g., from the example above deps.bzl%grype_database will result in deps.bzl containing a grype_db macro which, when called, will define the repository rule for a Grype CVE database. This is consistent with the definitions used in bazel-gazelle. Previously, the canonical separator was "#". It is preserved for compatibility. If no separator is used, the repository will be defined at the top level of whatever file is specified. "WORKSPACE"
version the database format major version. This should generally be left as the default, as it must be chosen to be compatible with the version of Grype in this package. 5
repository_name the name of the repository to be created. You will reference the database as @[repository_name]//file in the database field of a grype_test rule. For example, with the default value, you would use @grype_database//file. "grype_database"
listing_url the URL from which the list of available databases shall be fetched. Defaults to the Anchore listing normally used by Grype. None
kwargs

-

none

syft_sbom

syft_sbom(name, image, scope, kwargs)

Create an SBOM for an image.

Uses Anchore Syft to create a Software Bill of Materials for a container image.

The user is required to provide name and image; all other fields have sane defaults.

Note that if one is also creating a grype_test rule for the same image, one may specify this target as the sbom for that grype_test, or else use the [name]_sbom target implicitly created by grype_test in lieu of explicitly invoking this macro.

PARAMETERS

Name Description Default Value
name the name of the label to be created. none
image the complete docker image TAR, compatible with docker save; a label for a container_image rule; or a label for an imported image (i.e., @foo//image for a container_pull(name = "foo", ...) repository rule. none
scope if "Squashed", only scan the effective file system of the final image. If "All", scan every file in each layer, including those that are overwritten or deleted in the final image. "Squashed"
kwargs

-

none