Summary
In light of the recent security incident involving the Trivy supply chain (GHSA-69fq-xp46-6x23), it is increasingly important for security-conscious users to have alternatives for vulnerability scanning.
We propose adding official support for Grype by Anchore to the Trunk ecosystem. Grype is a powerful, fast, and widely-used vulnerability scanner for container images and filesystems that serves as an excellent alternative to trivy fs.
Why Grype?
- Supply Chain Diversity: Relying on multiple security scanners from different vendors (Aqua Security for Trivy, Anchore for Grype) reduces the risk of a single point of failure in the security supply chain.
- Specialized Vulnerability Scanning: Grype is specifically optimized for scanning filesystems, SBOMs, and container images for vulnerabilities, often providing different or complementary results to Trivy.
- SARIF Support: Grype natively supports SARIF output, making it easy to integrate with Trunk's reporting and GitHub's code scanning features.
- Fast Performance: It is designed to be lightweight and fast, fitting well into Trunk's philosophy of high-performance linting and scanning.
Proposed Implementation
A basic plugin.yaml for grype would look similar to the following:
- Tools Definition: Download from Anchore's GitHub releases.
- Linter Definition:
- Scan lockfiles and filesystems.
- Output format: SARIF.
- Command:
grype file:${target} -o sarif.
- Environment: Configure
GRYPE_DB_CACHE_DIR to use Trunk's shared cache.
Acceptance Criteria
References
Summary
In light of the recent security incident involving the Trivy supply chain (GHSA-69fq-xp46-6x23), it is increasingly important for security-conscious users to have alternatives for vulnerability scanning.
We propose adding official support for Grype by Anchore to the Trunk ecosystem. Grype is a powerful, fast, and widely-used vulnerability scanner for container images and filesystems that serves as an excellent alternative to
trivy fs.Why Grype?
Proposed Implementation
A basic
plugin.yamlforgrypewould look similar to the following:grype file:${target} -o sarif.GRYPE_DB_CACHE_DIRto use Trunk's shared cache.Acceptance Criteria
grypeis added as a supported linter intrunk-plugins.grypeviatrunk check enable grype.grypecorrectly identifies vulnerabilities in common lockfiles (e.g.,Gemfile.lock,package-lock.json).References