Run a Grype scan on all images referenced in a Kubernetes manifest

grype-kube-manifests.sh

#!/bin/bash
#
# Requires: jq, yq, grype, sed

# Check if a file path is provided as a command-line argument
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 path/to/your/deployment.yaml"
    exit 1
fi

# The path to the YAML file is the first command-line argument
yaml_file="$1"

# Ensure the file exists
if [ ! -f "$yaml_file" ]; then
    echo "File not found: $yaml_file"
    exit 1
fi

# Convert YAML to JSON and extract image names
images=$(yq eval -o=json "$yaml_file" | jq -r '.spec.template.spec.containers[].image')

# Loop through each image
for image in $images; do
  # Replace "/" and ":" in image names to make it filesystem-friendly
  safe_image_name=$(echo "$image" | sed 's/[\/:]/_/g')

  # Run grype on each image and output the result to a file named after the image
  echo "Generating SBOM for $image..."
  grype "$image" -o json > "${safe_image_name}.sbom"

  echo "SBOM for $image saved to ${safe_image_name}.sbom"
done

echo "All SBOMs generated."

test-manifest.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
      - name: syft
        image: anchore/syft:latest