---
variables:
  SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY}
  SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER}
  SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD}
  GRYPE_FAIL_ON_THRESHOLD: critical
  GRYPE_EXTRA_ARGS: ""
  GRYPE_DEFAULT_ARGS: --only-fixed
  GRYPE_CVE_BLACKLIST_REGEX: CVE-xxx

.grype:
  image: docker.io/alpine:3
  stage: test
  script:
    - |
      TARGET_IMAGE=${IMAGE_NAME:-${CI_REGISTRY_IMAGE}}:${IMAGE_DEV_TAG:-${IMAGE_TAG:-latest}}
      echo "[*] Target image: ${TARGET_IMAGE}"
    - wget -qO- https://raw.githubusercontent.com/anchore/syft/main/install.sh |
      sh -s -- -b /usr/local/bin
    - wget -qO- https://raw.githubusercontent.com/anchore/grype/main/install.sh
      | sh -s -- -b /usr/local/bin
    # 0) get the SBOM from syft
    - syft packages ${TARGET_IMAGE} -o json > ${CI_PROJECT_DIR}/syft.json
    # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities
    - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file
      ${CI_PROJECT_DIR}/grype.txt
    # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively.
    - cat ${CI_PROJECT_DIR}/grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} &&
      exit 1 || exit 0
    # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD
    - grype sbom:${CI_PROJECT_DIR}/syft.json --output=table --file
      ${CI_PROJECT_DIR}/grype.txt --fail-on ${GRYPE_FAIL_ON_THRESHOLD}
      ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS}
  artifacts:
    paths:
      - syft.json
      - grype.txt
    when: always
  allow_failure: true

grype:
  extends: .grype
  needs:
    - job: image:build
      optional: true