add new target to scan docker image

anthony-nhs · anthony-nhs · commit c5812a49616e · 2026-03-31T16:49:25.000Z
diff --git a/README.md b/README.md
@@ -186,6 +186,7 @@ Check targets (`check.mk`)
 - `grype-scan-json` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grype_analysis.json
 - `grype-scan-json-dev-dependencies` - Uses grype to scan for vulnerabilities. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies. Outputs file to .sbom/grype_analysis.dev.json
 - `grype-scan-local` - Uses grype to scan local folders for vulnerabilities. This is installed as a pre-commit hook in each project.
+- `grype-scan-docker-image` - Uses grype to scan a docker image for vulnerabilities. This image to scan must be set in the environment variable DOCKER_IMAGE
 - `grant-scan` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies.
 - `grant-scan-dev-dependencies` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom-dev-dependencies` target to find dependencies.
 - `grant-scan-json` - Uses grant to scan for possible incompatible licenses. Uses an sbom generated by `syft-generate-sbom` target to find dependencies. Outputs file to .sbom/grant_analysis.json
diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk
@@ -132,6 +132,13 @@ grype-scan-local:
 	grype \
 		--fail-on high \
 		.
+
+grype-scan-docker-image: guard-DOCKER_IMAGE
+	grype "${DOCKER_IMAGE}" \
+		--scope all-layers \
+		--sort-by severity \
+		--fail-on high
+
 grant-scan: syft-generate-sbom
 	grant check \
 		.sbom/sbom.cdx.json
