Skip to content

feat: add Grype scanner integration with dual-scanner deduplication#102

Open
Aj7Ay wants to merge 2 commits into
OWASP:mainfrom
Aj7Ay:main
Open

feat: add Grype scanner integration with dual-scanner deduplication#102
Aj7Ay wants to merge 2 commits into
OWASP:mainfrom
Aj7Ay:main

Conversation

@Aj7Ay

@Aj7Ay Aj7Ay commented Jun 14, 2026

Copy link
Copy Markdown

Closes #50

  • Adds Grype (Anchore) as a second vulnerability scanner alongside Trivy via --scanner {trivy,grype,all}
  • --scanner all runs both scanners and deduplicates results by CVE ID — CVEs confirmed by
    both scanners are marked as highest-priority findings
  • Adds DOCKSEC_SCANNER environment variable for CI/CD default configuration (no code changes
    needed)
  • Extends Docker Compose scanning to pass --scanner through to each service scan
  • Adds Scanner Coverage section to HTML/JSON reports showing trivy-only, grype-only, and
    confirmed-by-both counts
  • Adds colored scanner badges (Trivy / Grype / Both) to the HTML vulnerability table
  • Adds Sources column to CSV reports
  • Updates README with new scanner commands, feature descriptions, and comparison table row

Changes

File Description
docksec/setup_external_tools.py install_grype() for macOS/Linux/Windows
docksec/docker_scanner.py scan_image_grype(), _parse_grype_output(),
_deduplicate_vulnerabilities(), scanner routing, scanner-scoped cache keys
docksec/cli.py --scanner flag + DOCKSEC_SCANNER env var fallback
docksec/compose_scanner.py Passes scanner param to each DockerSecurityScanner
docksec/report_generator.py Scanner coverage stats, badge HTML, Sources column in CSV
docksec/templates/report_template.html Scanner badge CSS +
{{SCANNER_COVERAGE_SECTION}} placeholder
tests/test_docker_scanner.py 21 new tests for Grype parsing, deduplication, scanner
routing
tests/test_report_generator.py Updated CSV header assertions for new Sources column
README.md New scanner section, feature descriptions, comparison table

Aj7ay7 added 2 commits June 14, 2026 21:48
@Aj7ay7
feat: add Grype scanner integration with dual-scanner deduplication
eb018a4 
Closes OWASP#50

- Add `install_grype()` to setup_external_tools.py (macOS/Linux/Windows)
- Add `--scanner {trivy,grype,all}` CLI flag and `DOCKSEC_SCANNER` env var
- Add `_parse_grype_output()` normalizing Grype JSON to DockSec's internal schema
- Add `_deduplicate_vulnerabilities()` merging Trivy + Grype by CVE ID with sources tracking
- Add `scan_image_grype()` method mirroring `scan_image_json()` interface
- Route `run_full_scan()` and `run_image_only_scan()` by scanner mode (trivy/grype/all)
- Add `_cache_key` property scoped to scanner mode to prevent cross-scanner cache hits
- Add Scanner Coverage section to HTML/JSON reports with per-CVE scanner badges
- Add `Sources` column to CSV reports; `scanner_coverage` object to JSON reports
- Pass `scanner` param through `ComposeOrchestrator` to all service scanners
- Update README with `--scanner` usage, env var, and comparison table row
- Add 21 new unit tests (46 total in test_docker_scanner.py, 99 total pass)
@Aj7ay7
style: apply Black formatting and isort import ordering
07edca5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Add Grype as an alternative/complementary vulnerability scanner to Trivy

2 participants

@Aj7Ay @Aj7ay7