-
Notifications
You must be signed in to change notification settings - Fork 5
/
grype.yaml
72 lines (56 loc) · 2.26 KB
/
grype.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# enable/disable checking for application updates on startup
# same as GRYPE_CHECK_FOR_APP_UPDATE env var
check-for-app-update: false
# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical)
# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var
fail-on-severity: ''
# the output format of the vulnerability report (options: table, json, cyclonedx)
# same as -o ; GRYPE_OUTPUT env var
output: "table"
# suppress all output (except for the vulnerability list)
# same as -q ; GRYPE_QUIET env var
quiet: false
# write output report to a file (default is to write to stdout)
# same as --file; GRYPE_FILE env var
file: ""
# a list of globs to exclude from scanning, for example:
# exclude:
# - '/etc/**'
# - './out/**/*.json'
# same as --exclude ; GRYPE_EXCLUDE env var
exclude: []
# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
# same as --platform; GRYPE_PLATFORM env var
platform: ""
# If using SBOM input, automatically generate CPEs when packages have none
add-cpes-if-none: false
# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10
distro:
db:
# check for database updates on execution
# same as GRYPE_DB_AUTO_UPDATE env var
auto-update: true
# location to write the vulnerability database cache
# same as GRYPE_DB_CACHE_DIR env var
cache-dir: "$XDG_CACHE_HOME/grype/db"
# URL of the vulnerability database
# same as GRYPE_DB_UPDATE_URL env var
update-url: "https://threat-intel.deepfence.io/vulnerability-db/listing.json"
# it ensures db build is no older than the max-allowed-built-age
# set to false to disable check
validate-age: false
# Max allowed age for vulnerability database,
# age being the time since it was built
# Default max age is 120h (or five days)
max-allowed-built-age: "120h"
log:
# use structured logging
# same as GRYPE_LOG_STRUCTURED env var
structured: false
# the log level; note: detailed logging suppress the ETUI
# same as GRYPE_LOG_LEVEL env var
level: "error"
# location to write the log file (default is not to have a log file)
# same as GRYPE_LOG_FILE env var
file: ""