OnceUponALoop
commented
5 months ago One way we've been dealing with this in our pipelines is by using syft output as the grype input for multiple templates.
Generate the syft json
Generating syft.json
$ syft debian:buster-20230904-slim -o syft-json > syft.json
✔ Parsed image sha256:9394e77e52a09d33bea94c95877ff295f8a240f90d928810dd036837be9cf1d4
✔ Parsed image sha256:9394e77e52a09d33bea94c95877ff295f8a240f90d928810dd036837be9cf1d4
✔ Cataloged contents e91ddf251506ef5fb5c694a74cd3d0cb7b83eed167364bee3567e9d77915a8ef
├── ✔ Packages [85 packages]
├── ✔ File metadata [71 locations]
└── ✔ Executables [697 executables]Use Syft as input to Grype
Here we can run grype multiple times, since the scan is already done by syft the turnaround is pretty fast.
In this example I generate the html report and junit report back to back.
$ grype sbom:syft.json --output template --template grype-html-dt.tmpl > report.html
✔ Vulnerability DB [no update available]
✔ Scanned for vulnerabilities [161 vulnerability matches]
├── by severity: 1 critical, 31 high, 40 medium, 11 low, 62 negligible (16 unknown)
└── by status: 33 fixed, 128 not-fixed, 0 ignored
$ grype sbom:syft.json --output template --template grype-junit.tmpl > test-results.xml
✔ Vulnerability DB [no update available]
✔ Scanned for vulnerabilities [161 vulnerability matches]
├── by severity: 1 critical, 31 high, 40 medium, 11 low, 62 negligible (16 unknown)
└── by status: 33 fixed, 128 not-fixed, 0 ignored
Creating a separate issue from this comment: https://github.com/anchore/grype/issues/1512#issuecomment-1736311280
Original comment:
Would like to know how can I achieve multiple template output ? For example, I would like to generate the following output for a single command :-
The above command doesn't work. It created 2 report output but just using the last template which is junit