-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: GitHub <[email protected]>
- Loading branch information
1 parent
30f88bd
commit daed14e
Showing
86 changed files
with
1,073 additions
and
176 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
content/chainguard/chainguard-images/reference/grype/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| --- | ||
| title: "Image Overview: grype" | ||
| linktitle: "grype" | ||
| type: "article" | ||
| layout: "single" | ||
| description: "Overview: grype Chainguard Image" | ||
| date: 2022-11-01T11:07:52+02:00 | ||
| lastmod: 2022-11-01T11:07:52+02:00 | ||
| draft: false | ||
| tags: ["Reference", "Chainguard Images", "Product"] | ||
| images: [] | ||
| menu: | ||
| docs: | ||
| parent: "images-reference" | ||
| weight: 500 | ||
| toc: true | ||
| --- | ||
|
|
||
| {{< tabs >}} | ||
| {{< tab title="Overview" active=true url="/chainguard/chainguard-images/reference/grype/" >}} | ||
| {{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/grype/image_specs/" >}} | ||
| {{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/grype/tags_history/" >}} | ||
| {{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/grype/provenance_info/" >}} | ||
| {{</ tabs >}} | ||
|
|
||
|
|
||
|
|
||
| Minimalist Wolfi-based grype images for signing and verifying images using Sigstore. | ||
|
|
||
| - [Documentation](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype) | ||
| - [Provenance Information](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype/provenance_info/) | ||
| <!-- TODO: add Getting Started Guide - [Getting Started Guide](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype/getting-started-grype/) --> | ||
|
|
||
| ## Image Variants | ||
|
|
||
| Our `latest` tag uses the most recent build of the [Wolfi grype](https://github.com/wolfi-dev/os/blob/main/grype.yaml) package. The following tagged variant is available without authentication: | ||
|
|
||
| - `latest`: This is an image for running `grype` commands. It does not include a shell or other applications. | ||
|
|
||
| ### grype help | ||
| This will automatically pull the image to your local system and execute the command `grype help`: | ||
|
|
||
| ```shell | ||
| docker run --rm cgr.dev/chainguard/grype help | ||
|
|
||
|
|
||
| A vulnerability scanner for container images, filesystems, and SBOMs. | ||
|
|
||
| Supports the following image sources: | ||
| grype yourrepo/yourimage:tag defaults to using images from a Docker daemon | ||
| grype path/to/yourproject a Docker tar, OCI tar, OCI directory, SIF container, or generic filesystem directory | ||
|
|
||
| You can also explicitly specify the scheme to use: | ||
| grype podman:yourrepo/yourimage:tag explicitly use the Podman daemon | ||
| grype docker:yourrepo/yourimage:tag explicitly use the Docker daemon | ||
| grype docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save" | ||
| grype oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise) | ||
| grype oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise) | ||
| grype singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk | ||
| grype dir:path/to/yourproject read directly from a path on disk (any directory) | ||
| grype sbom:path/to/syft.json read Syft JSON from path on disk | ||
| grype registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required) | ||
| grype purl:path/to/purl/file read a newline separated file of purls from a path on disk | ||
|
|
||
| You can also pipe in Syft JSON directly: | ||
| syft yourimage:tag -o json | grype | ||
|
|
||
| Usage: | ||
| grype [command] | ||
| ``` |
71 changes: 71 additions & 0 deletions
71
content/chainguard/chainguard-images/reference/grype/image_specs.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| --- | ||
| title: "grype Image Variants" | ||
| type: "article" | ||
| unlisted: true | ||
| description: "Detailed information about the public grype Chainguard Image variants" | ||
| date: 2023-03-07T11:07:52+02:00 | ||
| lastmod: 2023-03-07T11:07:52+02:00 | ||
| draft: false | ||
| tags: ["Reference", "Chainguard Images", "Product"] | ||
| images: [] | ||
| weight: 550 | ||
| toc: true | ||
| --- | ||
|
|
||
| {{< tabs >}} | ||
| {{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/grype/" >}} | ||
| {{< tab title="Variants" active=true url="/chainguard/chainguard-images/reference/grype/image_specs/" >}} | ||
| {{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/grype/tags_history/" >}} | ||
| {{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/grype/provenance_info/" >}} | ||
| {{</ tabs >}} | ||
|
|
||
| This page shows detailed information about all public variants of the Chainguard **grype** Image. | ||
|
|
||
| ## Variants Compared | ||
| The **grype** Chainguard Image currently has 2 public variants: | ||
|
|
||
| - `latest-dev` | ||
| - `latest` | ||
|
|
||
| The table has detailed information about each of these variants. | ||
|
|
||
| | | latest-dev | latest | | ||
| |--------------|------------------|------------------| | ||
| | Default User | `nonroot` | `nonroot` | | ||
| | Entrypoint | `/usr/bin/grype` | `/usr/bin/grype` | | ||
| | CMD | `help` | `help` | | ||
| | Workdir | not specified | not specified | | ||
| | Has apk? | yes | no | | ||
| | Has a shell? | yes | yes | | ||
|
|
||
| Check the [tags history page](/chainguard/chainguard-images/reference/grype/tags_history/) for the full list of available tags. | ||
|
|
||
| ## Packages Included | ||
| The table shows package distribution across variants. | ||
|
|
||
| | | latest-dev | latest | | ||
| |--------------------------|------------|--------| | ||
| | `apk-tools` | X | | | ||
| | `bash` | X | | | ||
| | `busybox` | X | X | | ||
| | `ca-certificates-bundle` | X | X | | ||
| | `git` | X | | | ||
| | `glibc` | X | X | | ||
| | `glibc-locale-posix` | X | X | | ||
| | `grype` | X | X | | ||
| | `ld-linux` | X | X | | ||
| | `libbrotlicommon1` | X | | | ||
| | `libbrotlidec1` | X | | | ||
| | `libcrypt1` | X | X | | ||
| | `libcrypto3` | X | | | ||
| | `libcurl-openssl4` | X | | | ||
| | `libexpat1` | X | | | ||
| | `libnghttp2-14` | X | | | ||
| | `libpcre2-8-0` | X | | | ||
| | `libssl3` | X | | | ||
| | `ncurses` | X | | | ||
| | `ncurses-terminfo-base` | X | | | ||
| | `openssl-config` | X | | | ||
| | `wolfi-baselayout` | X | X | | ||
| | `zlib` | X | | | ||
|
|
72 changes: 72 additions & 0 deletions
72
content/chainguard/chainguard-images/reference/grype/provenance_info.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| --- | ||
| title: "Provenance Information for grype Images" | ||
| type: "article" | ||
| unlisted: true | ||
| description: "Provenance information for grype Chainguard Image" | ||
| date: 2022-11-01T11:07:52+02:00 | ||
| lastmod: 2022-11-01T11:07:52+02:00 | ||
| draft: false | ||
| tags: ["Reference", "Chainguard Images", "Product"] | ||
| images: [] | ||
| weight: 600 | ||
| toc: true | ||
| --- | ||
|
|
||
| {{< tabs >}} | ||
| {{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/grype/" >}} | ||
| {{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/grype/image_specs/" >}} | ||
| {{< tab title="Tags History" active=false url="/chainguard/chainguard-images/reference/grype/tags_history/" >}} | ||
| {{< tab title="Provenance" active=true url="/chainguard/chainguard-images/reference/grype/provenance_info/" >}} | ||
| {{</ tabs >}} | ||
|
|
||
| All Chainguard Images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image built and have a detailed list of everything that is packed within. | ||
|
|
||
| ## Verifying Image Signatures | ||
| The **grype** Chainguard Images are signed using Sigstore, and you can check the included signatures using `cosign`. | ||
|
|
||
| The following command requires [cosign](https://docs.sigstore.dev/cosign/overview/) and [jq](https://stedolan.github.io/jq/) to be installed on your machine. It will pull detailed information about all signatures found for the provided image. | ||
|
|
||
| ```shell | ||
| cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/grype | jq | ||
| ``` | ||
|
|
||
| By default, this command will fetch signatures for the `latest` tag. You can also specify the tag you want to fetch signatures for. | ||
|
|
||
| ## Downloading and Verifying SBOMs | ||
|
|
||
| All Chainguard Images come with a high-quality Software Bill Of Materials (SBOM) attested at build-time. The SBOM can be downloaded using the cosign tool: | ||
|
|
||
| ```shell | ||
| cosign download attestation \ | ||
| --predicate-type=https://spdx.dev/Document \ | ||
| cgr.dev/chainguard/grype | jq -r .payload | base64 -d | jq | ||
| ``` | ||
| By default, this command will fetch the SBOM assigned to the `latest` tag. You can also specify the tag you want to fetch the SBOM from. | ||
|
|
||
| With cosign 2.0+, you can use the `cosign verify-attestation` command to check the signature of an SBOM: | ||
|
|
||
| ```shell | ||
| cosign verify-attestation \ | ||
| --type https://spdx.dev/Document \ | ||
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
| --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \ | ||
| cgr.dev/chainguard/grype | ||
| ``` | ||
|
|
||
| And you should get output that verifies the SBOM signature in cosign's transparency log: | ||
|
|
||
| ``` | ||
| Verification for cgr.dev/chainguard/grype -- | ||
| The following checks were performed on each of these signatures: | ||
| - The cosign claims were validated | ||
| - Existence of the claims in the transparency log was verified offline | ||
| - The code-signing certificate was verified using trusted certificate authority certificates | ||
| Certificate subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main | ||
| Certificate issuer URL: https://token.actions.githubusercontent.com | ||
| GitHub Workflow Trigger: schedule | ||
| GitHub Workflow SHA: da283c26829d46c2d2883de5ff98bee672428696 | ||
| GitHub Workflow Name: .github/workflows/release.yaml | ||
| GitHub Workflow Trigger chainguard-images/images | ||
| GitHub Workflow Ref: refs/heads/main | ||
| ... | ||
| ``` |
30 changes: 30 additions & 0 deletions
30
content/chainguard/chainguard-images/reference/grype/tags_history.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| --- | ||
| title: "grype Image Tags History" | ||
| type: "article" | ||
| unlisted: true | ||
| description: "Image Tags and History for the grype Chainguard Image" | ||
| date: 2023-06-22T11:07:52+02:00 | ||
| lastmod: 2023-06-22T11:07:52+02:00 | ||
| draft: false | ||
| tags: ["Reference", "Chainguard Images", "Product"] | ||
| images: [] | ||
| weight: 700 | ||
| toc: true | ||
| --- | ||
|
|
||
| {{< tabs >}} | ||
| {{< tab title="Overview" active=false url="/chainguard/chainguard-images/reference/grype/" >}} | ||
| {{< tab title="Variants" active=false url="/chainguard/chainguard-images/reference/grype/image_specs/" >}} | ||
| {{< tab title="Tags History" active=true url="/chainguard/chainguard-images/reference/grype/tags_history/" >}} | ||
| {{< tab title="Provenance" active=false url="/chainguard/chainguard-images/reference/grype/provenance_info/" >}} | ||
| {{</ tabs >}} | ||
|
|
||
| The following table contains the most recent tags and digests that can be used to pin your Dockerfile to a specific build of this image. Check our guide on [Using the Tag History API](/chainguard/chainguard-images/using-the-tag-history-api/) for information on how to fetch all tags from an image and how to pin your Dockerfile to a specific digest. | ||
|
|
||
| Please note that digests and timestamps only change when there is a change to the image, even though images are rebuilt every night. The "Last Changed" column indicates when the image was last modified, and doesn't always reflect the latest build timestamp. For more information about how our reproducible builds work, please refer to [this blog post](https://www.chainguard.dev/unchained/reproducing-chainguards-reproducible-image-builds). | ||
|
|
||
| | Tag (s) | Last Changed | Digest | | ||
| |---------------|--------------|---------------------------------------------------------------------------| | ||
| | `latest-dev` | October 16th | `sha256:919fb131a6c56a455aaf64e7b22999cb9d0b962b39c4d414309ef9427cb3a040` | | ||
| | `latest` | October 16th | `sha256:164f3587296ac2871ddfca0f3d424bc69cd82a52880f61c4422c55b52587b504` | | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.