-
Notifications
You must be signed in to change notification settings - Fork 6
/
.grype.yml
151 lines (125 loc) · 4.89 KB
/
.grype.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# enable/disable checking for application updates on startup
# same as GRYPE_CHECK_FOR_APP_UPDATE env var
# check-for-app-update: true
# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman
# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var
# default-image-pull-source: ""
# same as --name; set the name of the target being analyzed
# name: ""
# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical)
# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var
fail-on-severity: 'high'
# the output format of the vulnerability report (options: table, json, cyclonedx)
# same as -o ; GRYPE_OUTPUT env var
# output: "table"
# suppress all output (except for the vulnerability list)
# same as -q ; GRYPE_QUIET env var
quiet: true
# write output report to a file (default is to write to stdout)
# same as --file; GRYPE_FILE env var
# file: ""
# a list of globs to exclude from scanning, for example:
exclude:
- '**/__fixtures__'
- '**/.git'
- '**/megalinter-reports'
# same as --exclude ; GRYPE_EXCLUDE env var
# exclude: []
# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
# same as --platform; GRYPE_PLATFORM env var
# platform: ""
# If using SBOM input, automatically generate CPEs when packages have none
# add-cpes-if-none: false
# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10
# distro:
# external-sources:
# enable: false
# maven:
# search-upstream-by-sha1: true
# base-url: https://search.maven.org/solrsearch/select
# db:
# check for database updates on execution
# same as GRYPE_DB_AUTO_UPDATE env var
# auto-update: true
# location to write the vulnerability database cache
# same as GRYPE_DB_CACHE_DIR env var
# cache-dir: "$XDG_CACHE_HOME/grype/db"
# URL of the vulnerability database
# same as GRYPE_DB_UPDATE_URL env var
# update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
# it ensures db build is no older than the max-allowed-built-age
# set to false to disable check
# validate-age: true
# Max allowed age for vulnerability database,
# age being the time since it was built
# Default max age is 120h (or five days)
# max-allowed-built-age: "120h"
# search:
# the search space to look for packages (options: all-layers, squashed)
# same as -s ; GRYPE_SEARCH_SCOPE env var
# scope: "squashed"
# search within archives that do contain a file index to search against (zip)
# note: for now this only applies to the java package cataloger
# same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
# indexed-archives: true
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
# note: for now this only applies to the java package cataloger
# same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
# unindexed-archives: false
# options when pulling directly from a registry via the "registry:" scheme
# registry:
# skip TLS verification when communicating with the registry
# same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
# insecure-skip-tls-verify: false
# use http instead of https when connecting to the registry
# same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var
# insecure-use-http: false
# credentials for specific registries
# auth:
# - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
# same as GRYPE_REGISTRY_AUTH_AUTHORITY env var
# authority: ""
# same as GRYPE_REGISTRY_AUTH_USERNAME env var
# username: ""
# same as GRYPE_REGISTRY_AUTH_PASSWORD env var
# password: ""
# note: token and username/password are mutually exclusive
# same as GRYPE_REGISTRY_AUTH_TOKEN env var
# token: ""
# - ... # note, more credentials can be provided via config file only
# log:
# use structured logging
# same as GRYPE_LOG_STRUCTURED env var
# structured: false
# the log level; note: detailed logging suppress the ETUI
# same as GRYPE_LOG_LEVEL env var
# Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging
# level: "error"
# location to write the log file (default is not to have a log file)
# same as GRYPE_LOG_FILE env var
# file: ""
# match:
# sets the matchers below to use cpes when trying to find
# vulnerability matches. The stock matcher is the default
# when no primary matcher can be identified
# java:
# using-cpes: true
# python:
# using-cpes: true
# javascript:
# using-cpes: true
# ruby:
# using-cpes: true
# dotnet:
# using-cpes: true
# golang:
# using-cpes: true
# stock:
# using-cpes: true
# ignore:
# # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail
# # @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225
# - vulnerability: CVE-2018-20225