Container Vulnerability Scanner

Overview

This skill helps you implement comprehensive vulnerability scanning for containers and software dependencies using Grype, an open-source vulnerability scanner. It provides both manual scanning capabilities and automated integration through pre-commit hooks to detect security vulnerabilities early in the development process.

The skill supports scanning containerized applications, base images, and package manager dependencies (NPM, Maven, PyPI, etc.) to identify known security vulnerabilities before they reach production.

When to Use This Skill

• Setting up security scanning for new or existing projects
• Adding vulnerability detection to development workflows
• Implementing automated security checks in CI/CD pipelines
• Scanning Docker containers and container images for vulnerabilities
• Validating base images for security compliance
• Detecting vulnerable dependencies in package manager files
• Establishing pre-commit security gates for repository protection
• Compliance requirements for security scanning and vulnerability management

Prerequisites

Software:

• Docker or other OCI-compliant container runtime (for container scanning)
• Python 3.6+ with pip (for pre-commit framework)
• Git repository (for automated hooks)
• Grype vulnerability scanner

Skills:

• Basic knowledge of Docker and containerization
• Understanding of Git hooks and pre-commit workflows
• Familiarity with YAML configuration files
• Knowledge of package managers used in your project

Workflow

Step 1: Install and Verify Grype

First, ensure Grype is installed and operational:

Install Grype:

# macOS (via Homebrew)
brew install anchore/grype/grype

# Linux/WSL
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Via Go
go install github.com/anchore/grype@latest

Verify installation:

grype version

Step 2: Perform Manual Vulnerability Scans

Start with manual scanning to understand your current security posture:

Scan repository dependencies:

grype dir:.

This scans all package manager dependencies (package.json, requirements.txt, pom.xml, etc.) in the current directory.

Scan a specific container image:

# First build your container
docker build -t my-app:latest .

# Then scan the built image
grype my-app:latest

Scan a remote container image:

grype alpine:latest
grype nginx:1.21

Scan with severity filtering:

# Only show critical and high severity issues
grype dir:. --fail-on critical --fail-on high

Step 3: Interpret Scan Results

Review scan output to understand vulnerabilities:

1. Vulnerability Summary: Note the count of vulnerabilities by severity (Critical, High, Medium, Low)
2. Package Details: Identify which packages contain vulnerabilities
3. CVE Information: Review specific CVE details and descriptions
4. Fix Versions: Check if updated package versions are available
5. Severity Assessment: Prioritize critical and high-severity issues

Address identified vulnerabilities:

• Update vulnerable packages to patched versions
• Replace vulnerable base images with secure alternatives
• Implement security patches or workarounds
• Document accepted risks for unfixable vulnerabilities

Step 4: Set Up Automated Pre-commit Scanning (Optional)

For automated vulnerability checking before commits, set up pre-commit hooks:

Install pre-commit framework:

pip install pre-commit

Configure pre-commit scanning: Copy the pre-commit configuration to your repository root:

cp assets/pre-commit-config.yml .pre-commit-config.yaml

Initialize pre-commit in your repository:

pre-commit install

Test the setup:

pre-commit run --all-files

The automated scan will:

• Run before each git push operation
• Scan repository dependencies using grype dir:.
• Block pushes if CRITICAL vulnerabilities are detected
• Provide detailed output for vulnerability remediation
• Allow bypassing with git push --no-verify if needed

Step 5: Configure CI/CD Integration (Optional)

For automated scanning in your CI/CD pipeline:

GitHub Actions Integration:

1. Install the Anchore Container Scan action
2. Add scanning steps to your workflow files
3. Configure failure thresholds and security policies
4. Set up vulnerability reporting and notifications

General CI/CD Integration:

• Add Grype scanning commands to your build pipeline
• Configure appropriate failure thresholds
• Implement vulnerability reporting and alerting
• Archive scan results for compliance and auditing

Asset Available

Pre-commit Configuration Template

File: assets/pre-commit-config.yml

This template provides a ready-to-use pre-commit hook configuration that:

• Scans repository dependencies for vulnerabilities
• Fails builds when CRITICAL vulnerabilities are detected
• Runs automatically before git push operations
• Provides clear remediation guidance in output
• Includes bypass instructions for emergency situations

The configuration uses local repository execution to ensure reliable scanning without external dependencies.

Best Practices

Security Scanning Strategy

1. Layer Security Scanning: Scan both container images and source dependencies
2. Regular Scanning: Implement both pre-commit hooks and scheduled scans
3. Severity Prioritization: Focus on Critical and High severity vulnerabilities first
4. Base Image Management: Regularly update base container images
5. Vulnerability Database Updates: Keep Grype database current with grype db update

Development Workflow Integration

1. Early Detection: Scan during development, not just before deployment
2. Automated Gates: Use pre-commit hooks to prevent vulnerable code commits
3. CI/CD Integration: Include vulnerability scanning in build pipelines
4. Documentation: Track accepted risks and remediation decisions
5. Team Training: Ensure team understands vulnerability management processes

Performance Optimization

1. Selective Scanning: Focus on production-bound containers and critical dependencies
2. Caching: Leverage Grype's database caching for faster repeated scans
3. Parallel Processing: Run scans in parallel with other build processes
4. Threshold Management: Set appropriate failure thresholds to balance security and productivity

Troubleshooting

Q: The pre-commit scan is failing with "grype command not found" A: Ensure Grype is installed and available in your PATH. Run grype version to verify installation. You may need to restart your terminal or update your PATH after installation.

Q: Scans are taking too long to complete A:

• Update the Grype database: grype db update
• Use severity filtering: grype dir:. --fail-on critical
• Consider scanning only production containers rather than development images

Q: How do I skip the pre-commit scan temporarily? A: Use git push --no-verify to bypass pre-commit hooks. However, this should be used sparingly and with caution.

Q: The scan found vulnerabilities but no fixes are available A:

• Check if alternative packages or base images are available
• Implement additional security measures (network isolation, runtime protection)
• Document the accepted risk with business justification
• Set up monitoring for when patches become available

Q: False positives are blocking development A:

• Review vulnerability details to confirm false positive status
• Use Grype's ignore functionality for confirmed false positives
• Adjust severity thresholds if appropriate for your risk tolerance
• Consider using allowlists for specific packages or CVEs

Q: How often should I run vulnerability scans? A:

• Pre-commit hooks: Every push (automatic)
• Full repository scans: Daily or weekly
• Container image scans: Before each deployment
• Database updates: Weekly or when new critical vulnerabilities are announced

Additional Resources

• Grype GitHub Repository
• Grype Documentation
• Pre-commit Framework
• Container Security Best Practices
• OWASP Container Security