In today’s fast-paced software development environment, security must be a first-class citizen in every phase of the deployment process.
By integrating security scanning tools such as Syft and Grype into your CI/CD workflows, you can catch vulnerabilities early—well before your code reaches production.
This article will guide you through the benefits of these tools and provide a practical example of how to integrate them into your CI/CD pipeline.
Table of Contents
What Are Syft and Grype?
Syft
Syft is an open-source CLI tool developed by Anchore that generates a Software Bill of Materials (SBOM) for container images and file systems. An SBOM provides a comprehensive inventory of the software components present in your application, including libraries, dependencies, and binaries. This inventory is critical for understanding what’s in your build and forms the basis for vulnerability scanning.
Grype
Grype, also from Anchore, is a vulnerability scanner designed to work seamlessly with the SBOM produced by Syft. It identifies known vulnerabilities in your software components by comparing them against public vulnerability databases. Grype supports scanning container images, file systems, and even SBOMs directly.
Why Integrate Syft and Grype into CI/CD?
Early Detection of Vulnerabilities
- Shift-Left Security: By scanning early in the CI/CD pipeline, security issues are identified before they propagate into later stages of deployment.
- Automated Compliance: Continuous scanning helps ensure that your builds remain compliant with security policies and industry regulations.
Increased Visibility and Accountability
- Accurate SBOMs: With Syft, you gain an accurate view of your application’s components, making it easier to manage dependencies and track their vulnerabilities.
- Actionable Insights: Grype’s detailed vulnerability reports provide actionable insights that empower developers and security teams to address issues promptly.
Reduced Remediation Costs
- Preventive Measures: Fixing vulnerabilities early in the development process is usually less costly and disruptive than remediating them post-deployment.
- Enhanced Collaboration: Integrating security scans in CI/CD fosters a culture of DevSecOps where developers are directly involved in maintaining security hygiene.
How to Integrate into Your CI/CD Pipeline
Step 1: Generate an SBOM with Syft
Integrate Syft in your CI/CD pipeline to automatically generate an SBOM for your container images or build artifacts. This SBOM is the foundation for subsequent vulnerability scans.
Step 2: Scan for Vulnerabilities with Grype
After generating the SBOM, run Grype to scan for known vulnerabilities in the listed components. Configure Grype to fail the build if critical vulnerabilities are found, ensuring that insecure code does not progress further down the pipeline.
Step 3: Automate and Enforce
Automate these steps using your CI/CD tool of choice (e.g., GitHub Actions, GitLab CI, Jenkins). Enforce security policies by marking builds as failed when high-risk vulnerabilities are detected. This process ensures continuous feedback to developers regarding the security state of their code.
Example: GitHub Actions Workflow
Below is an example of how you can integrate Syft and Grype into a GitHub Actions workflow. This workflow generates an SBOM from a container image, scans it for vulnerabilities, and fails the build if any critical vulnerabilities are found.
name: Security Scan
on:
push:
branches:
- main
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v2
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM
run: |
# Replace <image> with your container image name or use a directory path
syft <image> -o cyclonedx-json > sbom.json
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: Scan for Vulnerabilities
run: |
# Scan the container image or the SBOM for vulnerabilities
grype <image> --fail-on high
# Alternatively, scan using the generated SBOM:
# grype sbom:sbom.json --fail-on highIn this workflow:
- Syft is used to create an SBOM for your specified container image.
- Grype scans the image or SBOM for vulnerabilities, and if any high-severity issues are detected, the workflow is configured to fail.
Example: Jenkins pipeline
pipeline {
agent any
environment {
IMAGE_NAME = "my-image:latest"
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Build Image') {
steps {
script {
// Build your Docker image
sh 'docker build -t ${IMAGE_NAME} .'
}
}
}
stage('Generate SBOM with Syft') {
steps {
script {
// Install Syft if not already available
sh 'curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin'
// Generate SBOM in CycloneDX format
sh 'syft ${IMAGE_NAME} -o cyclonedx-json > sbom.json'
}
}
}
stage('Scan for Vulnerabilities with Grype') {
steps {
script {
// Install Grype if not already available
sh 'curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin'
// Scan the image and fail the build if high-severity vulnerabilities are found
sh 'grype ${IMAGE_NAME} --fail-on high'
// Alternatively, you can scan using the generated SBOM:
// sh 'grype sbom:sbom.json --fail-on high'
}
}
}
}
post {
always {
archiveArtifacts artifacts: 'sbom.json', fingerprint: true
}
}
}
Example: Executing Syft and Grype in the Terminal
The following examples demonstrate how to use Syft to generate a Software Bill of Materials (SBOM) and Grype to scan for vulnerabilities in a container image. These commands are executed in a terminal and showcase real-world outputs.
Syft: Generating an SBOM for an Image
By running the following command, Syft analyzes the alpine:latest image and lists all discovered software packages:
❯ syft scan alpine:latest
✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9869168ffced1cb25b2470a3d9fe15e
✔ Cataloged contents 757d680068d77be46fd1ea20fb21db16f150468c5e7079a08a2e4705aec096ac
├── ✔ Packages [15 packages]
├── ✔ File digests [82 files]
├── ✔ File metadata [82 locations]
└── ✔ Executables [17 executables]
NAME VERSION TYPE
alpine-baselayout 3.6.8-r1 apk
alpine-baselayout-data 3.6.8-r1 apk
alpine-keys 2.5-r0 apk
alpine-release 3.21.3-r0 apk
apk-tools 2.14.6-r3 apk
busybox 1.37.0-r12 apk
busybox-binsh 1.37.0-r12 apk
ca-certificates-bundle 20241121-r1 apk
libcrypto3 3.3.3-r0 apk
libssl3 3.3.3-r0 apk
musl 1.2.5-r9 apk
musl-utils 1.2.5-r9 apk
scanelf 1.3.8-r1 apk
ssl_client 1.37.0-r12 apk
zlib 1.3.1-r2 apk
❯Grype: Scanning for Vulnerabilities in an Image
Once an SBOM is generated, you can use Grype to scan the same image for known vulnerabilities:
❯ grype alpine:latest
✔ Vulnerability DB [updated]
✔ Parsed image sha256:8d591b0b7dea080ea3be9e12ae563eebf9869168ffced1cb25b2470a3d9fe15e
✔ Cataloged contents 757d680068d77be46fd1ea20fb21db16f150468c5e7079a08a2e4705aec096ac
├── ✔ Packages [15 packages]
├── ✔ File digests [82 files]
├── ✔ File metadata [82 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities foundBest Practices for CI/CD Security Scanning
- Regularly Update Tools: Keep Syft, Grype, and your vulnerability databases up-to-date to ensure you catch the latest vulnerabilities.
- Define Severity Thresholds: Use Grype’s options (e.g.,–fail-on high) to enforce your organization’s security standards.
- Integrate with Other Security Tools: Combine these scans with static analysis (SAST), dynamic analysis (DAST), and dependency scanning for a comprehensive security posture.
- Monitor and Alert: Set up notifications for failed scans so your development team can respond promptly.
Summary
Integrating Syft and Grype into your CI/CD workflows is an effective way to shift security left and catch vulnerabilities early in the development lifecycle. By generating SBOMs and automatically scanning for vulnerabilities, you not only reduce the risk of deploying insecure code but also foster a culture of continuous security improvement. Start incorporating these tools into your pipeline today and build a stronger, more resilient deployment process.