# # Author: Hari Sekhon # Date: 2022-01-10 17:54:24 +0000 (Mon, 10 Jan 2022) # # vim:ts=2:sts=2:sw=2:et # # https://github.com/HariSekhon/DevOps-Bash-tools # # License: see accompanying Hari Sekhon LICENSE file # # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish # # https://www.linkedin.com/in/HariSekhon # # ============================================================================ # # G r y p e # ============================================================================ # # https://github.com/anchore/grype#configuration --- # enable/disable checking for application updates on startup # same as GRYPE_CHECK_FOR_APP_UPDATE env var check-for-app-update: true # upon scanning, if a severity is found at or above the given severity then the return code will be 1 # default is unset which will skip this validation (options: negligible, low, medium, high, critical) # same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var fail-on-severity: '' # the output format of the vulnerability report (options: table, json, cyclonedx) # same as -o ; GRYPE_OUTPUT env var output: "table" # suppress all output (except for the vulnerability list) # same as -q ; GRYPE_QUIET env var quiet: false # write output report to a file (default is to write to stdout) # same as --file; GRYPE_FILE env var file: "" # a list of globs to exclude from scanning, for example: # exclude: # - '/etc/**' # - './out/**/*.json' # same as --exclude ; GRYPE_EXCLUDE env var exclude: db: # check for database updates on execution # same as GRYPE_DB_AUTO_UPDATE env var auto-update: true # location to write the vulnerability database cache # same as GRYPE_DB_CACHE_DIR env var cache-dir: "$XDG_CACHE_HOME/grype/db" # URL of the vulnerability database # same as GRYPE_DB_UPDATE_URL env var update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json" search: # the search space to look for packages (options: all-layers, squashed) # same as -s ; GRYPE_SEARCH_SCOPE env var scope: "squashed" # search within archives that do contain a file index to search against (zip) # note: for now this only applies to the java package cataloger # same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var indexed-archives: true # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc) # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed # note: for now this only applies to the java package cataloger # same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var unindexed-archives: false # options when pulling directly from a registry via the "registry:" scheme registry: # skip TLS verification when communicating with the registry # same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var insecure-skip-tls-verify: false # use http instead of https when connecting to the registry # same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var insecure-use-http: false # credentials for specific registries auth: - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) # same as GRYPE_REGISTRY_AUTH_AUTHORITY env var authority: "" # same as GRYPE_REGISTRY_AUTH_USERNAME env var username: "" # same as GRYPE_REGISTRY_AUTH_PASSWORD env var password: "" # note: token and username/password are mutually exclusive # same as GRYPE_REGISTRY_AUTH_TOKEN env var token: "" #- ... # note, more credentials can be provided via config file only log: # use structured logging # same as GRYPE_LOG_STRUCTURED env var structured: false # the log level; note: detailed logging suppress the ETUI # same as GRYPE_LOG_LEVEL env var # # prevents specifying -v on the command line, although GRYPE_LOG_LEVEL still works #level: "error" # location to write the log file (default is not to have a log file) # same as GRYPE_LOG_FILE env var file: ""