I use grype security scanner to scan my docker image. I run grype itself also as docker container with the following command:
docker run -v ./grype-config:/config -e "DOCKER_CONFIG=/config" anchore/grype:latest -c "/config/config.yaml" my-own-image
In the current directoy a have a sub directory grype-config which contains the file config.yaml which has the following content:
# the output format of the vulnerability report (options: table, json, cyclonedx)
# same as -o ; GRYPE_OUTPUT env var
output: "json"
ignore:
# We can make rules to match just by vulnerability ID:
- vulnerability: CVE-2023-5156
- vulnerability: CVE-2023-4813
- vulnerability: CVE-2023-4806
- vulnerability: CVE-2016-20013
- vulnerability: CVE-2022-27943
- vulnerability: CVE-2022-27943
The output from grype is the following:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libc6 2.35-0ubuntu3.4 deb CVE-2023-5156 Medium
libc6 2.35-0ubuntu3.4 deb CVE-2023-4813 Low
libc6 2.35-0ubuntu3.4 deb CVE-2023-4806 Low
libc6 2.35-0ubuntu3.4 deb CVE-2016-20013 Negligible
libgcc-s1 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low
libstdc++6 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low
Obviously grype ignores my config.yaml as it uses the output format table, not the output format json set in config.yaml
Does anyone know how to fix this?