-
Notifications
You must be signed in to change notification settings - Fork 0
/
.grype.yaml
166 lines (132 loc) · 5.33 KB
/
.grype.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# enable/disable checking for application updates on startup
# same as GRYPE_CHECK_FOR_APP_UPDATE env var
check-for-app-update: true
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman
# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var
default-image-pull-source: ""
# same as --name; set the name of the target being analyzed
name: ""
# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical)
# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var
fail-on-severity: ""
# the output format of the vulnerability report (options: table, json, cyclonedx)
# same as -o ; GRYPE_OUTPUT env var
output: "table"
# suppress all output (except for the vulnerability list)
# same as -q ; GRYPE_QUIET env var
quiet: false
# write output report to a file (default is to write to stdout)
# same as --file; GRYPE_FILE env var
file: ""
# a list of globs to exclude from scanning, for example:
# exclude:
# - '/etc/**'
# - './out/**/*.json'
# same as --exclude ; GRYPE_EXCLUDE env var
exclude: []
# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
# same as --platform; GRYPE_PLATFORM env var
platform: ""
# If using SBOM input, automatically generate CPEs when packages have none
add-cpes-if-none: false
# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10
distro:
external-sources:
enable: false
maven:
search-upstream-by-sha1: true
base-url: https://search.maven.org/solrsearch/select
db:
# check for database updates on execution
# same as GRYPE_DB_AUTO_UPDATE env var
auto-update: true
# location to write the vulnerability database cache
# same as GRYPE_DB_CACHE_DIR env var
cache-dir: "$HOME/grype/db"
# URL of the vulnerability database
# same as GRYPE_DB_UPDATE_URL env var
update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
# it ensures db build is no older than the max-allowed-built-age
# set to false to disable check
validate-age: true
# Max allowed age for vulnerability database,
# age being the time since it was built
# Default max age is 120h (or five days)
max-allowed-built-age: "120h"
search:
# the search space to look for packages (options: all-layers, squashed)
# same as -s ; GRYPE_SEARCH_SCOPE env var
#scope: "squashed"
scope: "all-layers"
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger
# same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
indexed-archives: true
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger
# same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
unindexed-archives: false
# options when pulling directly from a registry via the "registry:" scheme
registry:
# skip TLS verification when communicating with the registry
# same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry
# same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var
insecure-use-http: false
# filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate
# GRYPE_REGISTRY_CA_CERT env var
ca-cert: ""
# credentials for specific registries
auth:
# the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
# GRYPE_REGISTRY_AUTH_AUTHORITY env var
- authority: ""
# GRYPE_REGISTRY_AUTH_USERNAME env var
username: ""
# GRYPE_REGISTRY_AUTH_PASSWORD env var
password: ""
# note: token and username/password are mutually exclusive
# GRYPE_REGISTRY_AUTH_TOKEN env var
token: ""
# filepath to the client certificate used for TLS authentication to the registry
# GRYPE_REGISTRY_AUTH_TLS_CERT env var
tls-cert: ""
# filepath to the client key used for TLS authentication to the registry
# GRYPE_REGISTRY_AUTH_TLS_KEY env var
tls-key: ""
# - ... # note, more credentials can be provided via config file only (not env vars)
log:
# use structured logging
# same as GRYPE_LOG_STRUCTURED env var
structured: false
# the log level; note: detailed logging suppress the ETUI
# same as GRYPE_LOG_LEVEL env var
# Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging
level: "info"
# location to write the log file (default is not to have a log file)
# same as GRYPE_LOG_FILE env var
file: ""
match:
# sets the matchers below to use cpes when trying to find
# vulnerability matches. The stock matcher is the default
# when no primary matcher can be identified.
java:
using-cpes: false
python:
using-cpes: false
javascript:
using-cpes: false
ruby:
using-cpes: false
dotnet:
using-cpes: false
golang:
using-cpes: false
# even if CPE matching is disabled, make an exception when scanning for "stdlib".
always-use-cpe-for-stdlib: true
stock:
using-cpes: true