Skip to content

feat: add Grype scanner integration with dual-scanner deduplication#102

Open
Aj7Ay wants to merge 4 commits into
OWASP:mainfrom
Aj7Ay:main
Open

feat: add Grype scanner integration with dual-scanner deduplication#102
Aj7Ay wants to merge 4 commits into
OWASP:mainfrom
Aj7Ay:main

Conversation

@Aj7Ay

@Aj7Ay Aj7Ay commented Jun 14, 2026

Copy link
Copy Markdown

Closes #50

  • Adds Grype (Anchore) as a second vulnerability scanner alongside Trivy via --scanner {trivy,grype,all}
  • --scanner all runs both scanners and deduplicates results by CVE ID — CVEs confirmed by
    both scanners are marked as highest-priority findings
  • Adds DOCKSEC_SCANNER environment variable for CI/CD default configuration (no code changes
    needed)
  • Extends Docker Compose scanning to pass --scanner through to each service scan
  • Adds Scanner Coverage section to HTML/JSON reports showing trivy-only, grype-only, and
    confirmed-by-both counts
  • Adds colored scanner badges (Trivy / Grype / Both) to the HTML vulnerability table
  • Adds Sources column to CSV reports
  • Updates README with new scanner commands, feature descriptions, and comparison table row

Changes

File Description
docksec/setup_external_tools.py install_grype() for macOS/Linux/Windows
docksec/docker_scanner.py scan_image_grype(), _parse_grype_output(),
_deduplicate_vulnerabilities(), scanner routing, scanner-scoped cache keys
docksec/cli.py --scanner flag + DOCKSEC_SCANNER env var fallback
docksec/compose_scanner.py Passes scanner param to each DockerSecurityScanner
docksec/report_generator.py Scanner coverage stats, badge HTML, Sources column in CSV
docksec/templates/report_template.html Scanner badge CSS +
{{SCANNER_COVERAGE_SECTION}} placeholder
tests/test_docker_scanner.py 21 new tests for Grype parsing, deduplication, scanner
routing
tests/test_report_generator.py Updated CSV header assertions for new Sources column
README.md New scanner section, feature descriptions, comparison table

ajay.kumar added 2 commits June 14, 2026 21:48
feat: add Grype scanner integration with dual-scanner deduplication
eb018a4 
Closes OWASP#50

- Add `install_grype()` to setup_external_tools.py (macOS/Linux/Windows)
- Add `--scanner {trivy,grype,all}` CLI flag and `DOCKSEC_SCANNER` env var
- Add `_parse_grype_output()` normalizing Grype JSON to DockSec's internal schema
- Add `_deduplicate_vulnerabilities()` merging Trivy + Grype by CVE ID with sources tracking
- Add `scan_image_grype()` method mirroring `scan_image_json()` interface
- Route `run_full_scan()` and `run_image_only_scan()` by scanner mode (trivy/grype/all)
- Add `_cache_key` property scoped to scanner mode to prevent cross-scanner cache hits
- Add Scanner Coverage section to HTML/JSON reports with per-CVE scanner badges
- Add `Sources` column to CSV reports; `scanner_coverage` object to JSON reports
- Pass `scanner` param through `ComposeOrchestrator` to all service scanners
- Update README with `--scanner` usage, env var, and comparison table row
- Add 21 new unit tests (46 total in test_docker_scanner.py, 99 total pass)
style: apply Black formatting and isort import ordering
07edca5
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 17, 2026
View reviewed changes
Comment thread tests/test_docker_scanner.py Outdated
"""Test run_full_scan routes correctly for scanner='grype'."""
from docksec.docker_scanner import DockerSecurityScanner

grype_json = json.dumps({
@codecov-commenter

codecov-commenter commented Jun 17, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 60.53551% with 339 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@9bcbf4f). Learn more about missing BASE report.

Files with missing lines Patch % Lines
docksec/docker_scanner.py 45.52% 207 Missing ⚠️
docksec/setup_external_tools.py 0.00% 63 Missing ⚠️
docksec/report_generator.py 65.51% 30 Missing ⚠️
docksec/cli.py 52.27% 21 Missing ⚠️
docksec/compose_scanner.py 77.50% 18 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #102   +/-   ##
=======================================
  Coverage        ?   63.73%           
=======================================
  Files           ?       19           
  Lines           ?     3441           
  Branches        ?        0           
=======================================
  Hits            ?     2193           
  Misses          ?     1248           
  Partials        ?        0
Flag Coverage Δ
unittests 63.73% <60.53%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

ajay.kumar added 2 commits June 19, 2026 20:15
fix(tests): remove unused grype_json variable in test_run_full_scan_g…
a8ea7ca 
…rype_mode

Resolves ruff F841 lint failure in CI — the variable was built but never
consumed since scan_image_grype is patched directly in the test.
chore: resolve README merge conflict — adopt Lab Project status, keep…
665fdf7 
… Grype

Upstream promoted DockSec from Incubator to Lab Project; kept Grype in
the scanner list from our branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Add Grype as an alternative/complementary vulnerability scanner to Trivy

3 participants

@Aj7Ay @codecov-commenter @github-advanced-security