---
# a vulnerability scanner for container images and filesystems
# https://github.com/anchore/grype

# yamllint disable rule:line-length

docker:anchore:grype:
  image: registry.gitlab.com/notno/grype
  variables:
    GRYPE_IMAGE: "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"
    GRYPE_SCOPE: "Squashed"
    GRYPE_OUTPUT_FORMAT: "table"
    GRYPE_FAIL_ON: "medium"
  script:
    - |
      skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${GRYPE_IMAGE} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}
      echo "Running grype with following options:"
      echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')"
      echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')"
      echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]"
    - grype version
    - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}