diff --git a/README.md b/README.md index 8bcb7e73a..77915b32d 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ trunk check enable {linter} | Ruby | [brakeman], [rubocop], [rufo], [semgrep], [standardrb] | | Rust | [clippy], [rustfmt] | | Scala | [scalafmt] | -| Security | [checkov], [dustilock], [nancy], [osv-scanner], [snyk], [tfsec], [trivy], [trufflehog], [terrascan] | +| Security | [checkov], [dustilock], [grype], [nancy], [osv-scanner], [snyk], [tfsec], [trivy], [trufflehog], [terrascan] | | SQL | [sqlfluff], [sqlfmt], [sql-formatter], [squawk] | | SVG | [svgo] | | Swift | [stringslint], [swiftlint], [swiftformat] | @@ -129,6 +129,7 @@ trunk check enable {linter} [golangci-lint]: https://github.com/golangci/golangci-lint#readme [golines]: https://pkg.go.dev/github.com/segmentio/golines [google-java-format]: https://github.com/google/google-java-format#readme +[grype]: https://github.com/anchore/grype#readme [graphql-schema-linter]: https://github.com/cjoudrey/graphql-schema-linter#readme [hadolint]: https://github.com/hadolint/hadolint#readme [haml-lint]: https://github.com/sds/haml-lint#readme diff --git a/linters/grype/grype.test.ts b/linters/grype/grype.test.ts new file mode 100644 index 000000000..760c9fb9f --- /dev/null +++ b/linters/grype/grype.test.ts @@ -0,0 +1,8 @@ +import { customLinterCheckTest } from "tests"; +import { TEST_DATA } from "tests/utils"; + +customLinterCheckTest({ + linterName: "grype", + testName: "fs-vuln", + args: TEST_DATA, +}); diff --git a/linters/grype/plugin.yaml b/linters/grype/plugin.yaml new file mode 100644 index 000000000..0d690ef2d --- /dev/null +++ b/linters/grype/plugin.yaml @@ -0,0 +1,51 @@ +version: 0.1 +downloads: + - name: grype + downloads: + - os: + linux: linux + macos: darwin + cpu: + x86_64: amd64 + arm_64: arm64 + url: https://github.com/anchore/grype/releases/download/v${version}/grype_${version}_${os}_${cpu}.tar.gz + - os: windows + cpu: + x86_64: amd64 + arm_64: arm64 + url: https://github.com/anchore/grype/releases/download/v${version}/grype_${version}_windows_${cpu}.zip +tools: + definitions: + - name: grype + download: grype + shims: [grype] + known_good_version: 0.110.0 +lint: + definitions: + - name: grype + files: [lockfile] + tools: [grype] + known_good_version: 0.110.0 + description: Vulnerability scanner for container images, filesystems, and SBOMs + commands: + - name: fs-vuln + output: sarif + run: grype file:${target} -o sarif --quiet + read_output_from: stdout + success_codes: [0] + batch: false + is_security: true + direct_configs: + - .grype.yaml + - .grype.yml + - .grype/config.yaml + - .grype/config.yml + suggest_if: files_present + version_command: + parse_regex: Version:\\s+${semver} + run: grype version + environment: + - name: GRYPE_DB_CACHE_DIR + value: ${shared_cachedir}/grype/db + - name: PATH + list: ["${linter}", "${env.PATH}"] diff --git a/linters/grype/test_data/Gemfile.lock b/linters/grype/test_data/Gemfile.lock new file mode 100644 index 000000000..77738968f --- /dev/null +++ b/linters/grype/test_data/Gemfile.lock @@ -0,0 +1,178 @@ +GEM + remote: https://rubygems.org/ + specs: + actioncable (5.2.8.1) + actionpack (= 5.2.8.1) + nio4r (~> 2.0) + websocket-driver (>= 0.6.1) + actionmailer (5.2.8.1) + actionpack (= 5.2.8.1) + actionview (= 5.2.8.1) + activejob (= 5.2.8.1) + mail (~> 2.5, >= 2.5.4) + rails-dom-testing (~> 2.0) + actionpack (5.2.8.1) + actionview (= 5.2.8.1) + activesupport (= 5.2.8.1) + rack (~> 2.0, >= 2.0.8) + rack-test (>= 0.6.3) + rails-dom-testing (~> 2.0) + rails-html-sanitizer (~> 1.0, >= 1.0.2) + actionpack-page_caching (1.2.4) + actionpack (>= 4.0.0) + actionview (5.2.8.1) + activesupport (= 5.2.8.1) + builder (~> 3.1) + erubi (~> 1.4) + rails-dom-testing (~> 2.0) + rails-html-sanitizer (~> 1.0, >= 1.0.3) + activejob (5.2.8.1) + activesupport (= 5.2.8.1) + globalid (>= 0.3.6) + activemodel (5.2.8.1) + activesupport (= 5.2.8.1) + activerecord (5.2.8.1) + activemodel (= 5.2.8.1) + activesupport (= 5.2.8.1) + arel (>= 9.0) + activestorage (5.2.8.1) + actionpack (= 5.2.8.1) + activerecord (= 5.2.8.1) + marcel (~> 1.0.0) + activesupport (5.2.8.1) + concurrent-ruby (~> 1.0, >= 1.0.2) + i18n (>= 0.7, < 2) + minitest (~> 5.1) + tzinfo (~> 1.1) + arel (9.0.0) + bindex (0.8.1) + builder (3.2.4) + byebug (11.1.3) + coffee-rails (5.0.0) + coffee-script (>= 2.2.0) + railties (>= 5.2.0) + coffee-script (2.4.1) + coffee-script-source + execjs + coffee-script-source (1.12.2) + concurrent-ruby (1.2.0) + crass (1.0.6) + date (3.3.3) + erubi (1.12.0) + execjs (2.8.1) + globalid (1.1.0) + activesupport (>= 5.0) + i18n (1.12.0) + concurrent-ruby (~> 1.0) + jbuilder (2.11.5) + actionview (>= 5.0.0) + activesupport (>= 5.0.0) + jquery-rails (4.5.1) + rails-dom-testing (>= 1, < 3) + railties (>= 4.2.0) + thor (>= 0.14, < 2.0) + json (2.6.3) + loofah (2.19.1) + crass (~> 1.0.2) + nokogiri (>= 1.5.9) + mail (2.8.1) + mini_mime (>= 0.1.1) + net-imap + net-pop + net-smtp + marcel (1.0.2) + method_source (1.0.0) + mini_mime (1.1.2) + minitest (5.17.0) + net-imap (0.3.4) + date + net-protocol + net-pop (0.1.2) + net-protocol + net-protocol (0.2.1) + timeout + net-smtp (0.3.3) + net-protocol + nio4r (2.5.8) + nokogiri (1.14.1) + racc (~> 1.4) + puma (4.3.12) + nio4r (~> 2.0) + racc (1.6.2) + rack (2.2.6.2) + rack-test (2.0.2) + rack (>= 1.3) + rails (5.2.8.1) + actioncable (= 5.2.8.1) + actionmailer (= 5.2.8.1) + actionpack (= 5.2.8.1) + actionview (= 5.2.8.1) + activejob (= 5.2.8.1) + activemodel (= 5.2.8.1) + activerecord (= 5.2.8.1) + activestorage (= 5.2.8.1) + activesupport (= 5.2.8.1) + bundler (>= 1.3.0) + railties (= 5.2.8.1) + sprockets-rails (>= 2.0.0) + rails-dom-testing (2.0.3) + activesupport (>= 4.2.0) + nokogiri (>= 1.6) + rails-html-sanitizer (1.5.0) + loofah (~> 2.19, >= 2.19.1) + railties (5.2.8.1) + actionpack (= 5.2.8.1) + activesupport (= 5.2.8.1) + method_source + rake (>= 0.8.7) + thor (>= 0.19.0, < 2.0) + rake (13.0.6) + spring (1.6.2) + sprockets (4.2.0) + concurrent-ruby (~> 1.0) + rack (>= 2.2.4, < 4) + sprockets-rails (3.4.2) + actionpack (>= 5.2) + activesupport (>= 5.2) + sprockets (>= 3.0.0) + sqlite3 (1.3.11) + thor (1.2.1) + thread_safe (0.3.6) + timeout (0.3.1) + turbolinks (5.2.1) + turbolinks-source (~> 5.2) + turbolinks-source (5.2.0) + tzinfo (1.2.11) + thread_safe (~> 0.1) + uglifier (2.7.2) + execjs (>= 0.3.0) + json (>= 1.8.0) + web-console (3.7.0) + actionview (>= 5.0) + activemodel (>= 5.0) + bindex (>= 0.4.0) + railties (>= 5.0) + websocket-driver (0.7.5) + websocket-extensions (>= 0.1.0) + websocket-extensions (0.1.5) + +PLATFORMS + ruby + +DEPENDENCIES + actionpack-page_caching (= 1.2.4) + byebug (~> 11.1.0) + coffee-rails (~> 5.0.0) + jbuilder (~> 2.0) + jquery-rails + puma + rails (>= 5.0.0.beta1, < 7.0.5) + spring + sqlite3 + turbolinks + tzinfo-data + uglifier (>= 1.3.0) + web-console (~> 3.0) + +BUNDLED WITH + 2.4.6 diff --git a/tests/repo_tests/config_check.test.ts b/tests/repo_tests/config_check.test.ts index 73ecb0384..ef7ff295f 100644 --- a/tests/repo_tests/config_check.test.ts +++ b/tests/repo_tests/config_check.test.ts @@ -149,6 +149,7 @@ describe("Global config health check", () => { "git-diff-check", "gofmt", "golangci-lint2", + "grype", "hadolint", "haml-lint", "isort",