Skip to content

Commit 3ae300e

Browse files
anthony-nhsanthony-nhs
committed
add grype ignore
1 parent 026d590 commit 3ae300e

3 files changed

Lines changed: 30 additions & 13 deletions

File tree

.github/workflows/build_multi_arch_image.yml

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -111,17 +111,6 @@ jobs:
111111
CONTAINER_NAME: '${{ inputs.container_name }}'
112112
BASE_FOLDER: "${{ inputs.base_folder }}"
113113
IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
114-
- name: Show docker vulnerability output
115-
if: always()
116-
run: |
117-
echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}"
118-
if [ -f ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt" ]; then
119-
cat ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt"
120-
fi
121-
env:
122-
CONTAINER_NAME: '${{ inputs.container_name }}'
123-
ARCHITECTURE: '${{ matrix.arch }}'
124-
DOCKER_TAG: '${{ inputs.docker_tag }}'
125114
- name: Push tagged image and rebuild for github actions
126115
run: |
127116
echo "Pushing image..."

.grype.yaml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
ignore:
2+
# Ignore specific CVEs
3+
- vulnerability: CVE-2025-4517
4+
- vulnerability: CVE-2025-68121
5+
- vulnerability: GHSA-p77j-4mvh-x3m3
6+
- vulnerability: GHSA-vmwr-mc7x-5vc3
7+
- vulnerability: CVE-2025-4330
8+
- vulnerability: CVE-2025-4435
9+
- vulnerability: CVE-2025-4138
10+
- vulnerability: CVE-2025-8194
11+
- vulnerability: CVE-2025-13836
12+
- vulnerability: CVE-2024-9287
13+
- vulnerability: CVE-2025-61726
14+
- vulnerability: CVE-2026-4519
15+
- vulnerability: CVE-2026-25679
16+
- vulnerability: CVE-2025-61725
17+
- vulnerability: CVE-2025-61723
18+
- vulnerability: CVE-2025-61729
19+
- vulnerability: GHSA-4vrq-3vrq-g6gg
20+
- vulnerability: CVE-2025-58187
21+
- vulnerability: CVE-2026-27137
22+
- vulnerability: CVE-2025-47907
23+
- vulnerability: CVE-2025-61731
24+
- vulnerability: GHSA-9h8m-3fm2-qjrq
25+
- vulnerability: CVE-2025-61732
26+
- vulnerability: GHSA-4c29-8rgm-jvjj
27+
- vulnerability: CVE-2025-58188
28+
- vulnerability: CVE-2025-4674
29+
- vulnerability: GHSA-x744-4wpc-v9h2

Makefile

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -94,12 +94,11 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG
9494
--load \
9595
-t "${CONTAINER_PREFIX}$${BASE_IMAGE_NAME}:githubactions-$${IMAGE_TAG}" \
9696
.
97-
9897
scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
9998
grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \
10099
--scope all-layers \
101100
--sort-by severity \
102-
--file ".grype_out/grype_${CONTAINER_NAME}_${IMAGE_TAG}.txt"
101+
--fail-on high
103102

104103
scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG
105104
grype "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" \

0 commit comments

Comments
 (0)