Use this action to perform static application security testing (SAST) on code with Grype. Grype, an open-source scanning tool, finds vulnerabilities in container images and filesystems. You can also use the action output as a quality gate for the next step or job in your workflow.
| Input name | Data type | Required? | Description | ||
|---|---|---|---|---|---|
|
String |
Yes |
The path of the binary to be scanned.
|
| Output name | Data type | Description |
|---|---|---|
|
String |
The number of Critical security findings discovered during the scan. |
|
String |
The number of Very high security findings discovered during the scan. |
|
String |
The number of High security findings discovered during the scan. |
|
String |
The number of Medium security findings discovered during the scan. |
|
String |
The number of Low security findings discovered during the scan. |
The following is a basic example of using the action:
- name: Scan with Grype
uses: cloudbees-io/grype-plugin@v1
with:
binary-tar-path: /path/to/binary.tarAccess the output values in downstream steps and jobs using the outputs context.
Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:
${{steps.<action_step_ID>.outputs.<severity>}}The following example uses the action output in a downstream step of the same job:
name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
grype-scan-job:
steps:
- name: check out source code
uses: cloudbees-io/checkout@v1
- id: grype-step
name: grype scan
uses: cloudbees-io/grype-plugin@v1
with:
binary-tar-path: /path/to/binary.tar
- name: source dir examine
uses: docker://golang:1.20.3-alpine3.17
shell: sh
run: |
ls -latR /cloudbees/workspace
- id: print-outputs-from-grype-step
name: print outputs from upstream grype step
uses: docker://alpine:latest
run: |
#printing all outputs
echo "Outputs from upstream grype step:"
echo "Critical count: ${{steps.grype-step.outputs.critical-count}}"
echo "Very high count: ${{steps.grype-step.outputs.very-high-count}}"
echo "High count: ${{steps.grype-step.outputs.high-count}}"
echo "Medium count: ${{steps.grype-step.outputs.medium-count}}"
echo "Low count: ${{steps.grype-step.outputs.low-count}}"The following example uses the action output in a downstream job:
name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1
on:
push:
branches:
- main
permissions:
scm-token-own: read
scm-token-org: read
id-token: write
jobs:
job1:
outputs:
grype-job-output-critical: ${{ steps.grype-step.outputs.critical-count }}
grype-job-output-very-high: ${{ steps.grype-step.outputs.very-high-count }}
grype-job-output-high: ${{ steps.grype-step.outputs.high-count }}
grype-job-output-medium: ${{ steps.grype-step.outputs.medium-count }}
grype-job-output-low: ${{ steps.grype-step.outputs.low-count }}
steps:
- name: check out source code
uses: cloudbees-io/checkout@v1
with:
repository: my-gh-repo-org/my-repo
ref: main
token: ${{ secrets.GIT_PAT }}
- id: grype-step
name: grype scan
uses: cloudbees-io/grype-plugin@v1
with:
binary-tar-path: /path/to/binary.tar
job2:
needs: job1
steps:
- id: print-outputs-from-job1
name: print outputs from upstream job1
uses: docker://alpine:latest
run: |
# Printing all outputs
echo "Outputs from upstream grype job:"
echo "Critical count: ${{ needs.job1.outputs.grype-job-output-critical }}"
echo "Very high count: ${{ needs.job1.outputs.grype-job-output-very-high }}"
echo "High count: ${{ needs.job1.outputs.grype-job-output-high }}"
echo "Medium count: ${{ needs.job1.outputs.grype-job-output-medium }}"
echo "Low count: ${{ needs.job1.outputs.grype-job-output-low }}"This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about CloudBees platform.