try using grype and trivy from Linuxbrew

Author: vszakats

.github/workflows/build_ci_multi.yml

@@ -50,5 +50,9 @@ jobs:
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
         name: 'test image'
-      - run: make image_name=localhost/curl-multi:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-multi:master scan

.github/workflows/build_latest_release_multi.yml

@@ -64,8 +64,12 @@ jobs:
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=$REL test
         name: 'test image'
-      - run: make image_name=localhost/curl-multi:${REL} scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-multi:${REL} scan
       - run: |
           buildah manifest push --format v2s2 --all curl-multi:$REL "docker://ghcr.io/curl/curl-container/curl-multi:${REL}"
           buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}"

.github/workflows/build_master.yml

@@ -58,8 +58,12 @@ jobs:
         name: 'build master images'
       - run: buildah unshare make dist_name=localhost/curl release_tag=master test
         name: 'test image'
-      - run: make image_name=localhost/curl:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl:master scan
       - run: |
           buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master"
           buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master"

.github/workflows/build_master_dev.yml

@@ -57,8 +57,12 @@ jobs:
         name: 'install dev deps'
       - run: buildah unshare make branch_or_ref=master release_tag=master build_debian
         name: 'build debian dev image'
-      - run: make image_name=localhost/curl-dev-debian:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-dev-debian:master scan
       - run: |
           buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master"
         name: 'push images to github registry'
@@ -78,8 +82,10 @@ jobs:
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
       - run: buildah unshare make branch_or_ref=master release_tag=master build_fedora
         name: 'build fedora dev image'
-      - run: make image_name=localhost/curl-dev-fedora:master scan
-        name: 'security scan image'
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-dev-fedora:master scan
       - run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
         name: 'push images to github registry'

.github/workflows/build_master_multi.yml

@@ -58,8 +58,12 @@ jobs:
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
         name: 'test image'
-      - run: make image_name=localhost/curl-multi:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-multi:master scan
       - run: |
           buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master"
           buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master"

Makefile

@@ -83,16 +83,23 @@ feature-test:
 #
 #  > make image_name=localhost/curl:master scan
 #
+# Requires: grype trivy
+#
+# One way to install them:
+#   curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+#   curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo bash -s -- -b /usr/local/bin v0.32.0
+#
 scan:
 	podman save -o image.tar ${image_name}
 	# Run clamav on image.tar
 # 	freshclam
 	clamscan image.tar
 	# run grype on image.tar
-	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin && grype image.tar
+	grype --version
+	grype image.tar
 	# run trivy on image.tar
 	systemctl --user enable --now podman.socket | true
-	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo bash -s -- -b /usr/local/bin v0.32.0
+	trivy --version
 	trivy image --input image.tar
 	rm image.tar