Grype is an open-source tool designed to scan container images and filesystems for vulnerabilities. It analyzes container image layers and dependencies, helping you identify known vulnerabilities in installed software packages. By leveraging Grype, you can detect security risks before deploying container images to production environments.
Argus complements this capability by providing a free, open-source enterprise security platform that includes centralized logging, real-time monitoring, and incident response automation. By integrating Grype with Argus, you gain a comprehensive view of your container security posture and can take proactive measures to address vulnerabilities.
This guide walks you through the integration process, including container image scanning with Grype, custom script configuration, and monitoring vulnerability alerts via the Argus dashboard.
Infrastructure Setup
Prerequisites
- Argus: Pre-built Argus virtual appliance including the Argus server, indexer, and dashboard.
- Ubuntu Endpoint: With Argus agent installed and Grype.
Ubuntu Endpoint Configuration
Install Docker Engine and Pull Container Images
- Update system packages and install cURL: apt update && apt install curl -y
- Install Docker Engine: curl -sSL https://get.docker.com/ | sh
- For RPM-based systems, start the Docker service: systemctl start docker
- Set up a project directory: mkdir /container_env && cd /container_env
- Create a Docker Compose file: touch docker-compose.yml Add the following content to docker-compose.yml: services:
nodejs:
image: node:latest
container_name: nodejs_container
restart: always
ports:- 3000:3000
volumes: - ./app:/app
working_dir: /app
environment: - NODE_ENV=production
mongo:
image: mongo:latest
container_name: mongo_container
restart: always
redis:
image: redis:latest
container_name: redis_container
restart: always
- 3000:3000
- Pull the container images: docker compose pull
- Verify the container images: docker image ls Example output: REPOSITORY TAG IMAGE ID CREATED SIZE
redis latest 1a83fd5edeed 6 days ago 117MB
node latest 3d4b037e6712 13 days ago 1.11GB
mongo latest ff65a94ec485 4 weeks ago 795MB
Install Grype - Install Grype: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s — -b /usr/local/bin
- Verify Grype installation: grype –version Example output: grype 0.78.0
- Update the Grype vulnerability database: grype db update
Create a Custom Bash Script and Configure Argus Command Module - Create a custom script directory and file: mkdir /var/ossec/custom-script/ && touch /var/ossec/custom-script/grype_scan.sh
- Add the following content to grype_scan.sh: !/bin/bash TEMPLATE_DIR=”/tmp”
TEMPLATE_FILE=”$TEMPLATE_DIR/custom.tmpl” cat < “$TEMPLATE_FILE”
“Package”,”Version Installed”,”Vulnerability ID”,”Severity”
{{- range .Matches}}
“{{.Artifact.Name}}”,”{{.Artifact.Version}}”,”{{.Vulnerability.ID}}”,”{{.Vulnerability.Severity}}”
{{- end }}
EOL images=$(docker images –format “{{.Repository}}:{{.Tag}}”) for image in $images; do
grype_output=$(grype $image -o template -t $TEMPLATE_FILE)
while IFS= read -r line; do
formatted_line=Grype:”\”$image\”,$line”
echo “$formatted_line”
done <<< “$grype_output”
done rm -f “$TEMPLATE_FILE” - Grant executable permissions: chmod +x /var/ossec/custom-script/grype_scan.sh
- Change ownership: chown root:wazuh /var/ossec/custom-script/ -R
- Edit the Argus agent configuration file:
Add the following to /var/ossec/etc/ossec.conf: no /var/ossec/custom-script/grype_scan.sh 5d no yes 0 - Restart the Argus agent: systemctl restart wazuh-agent
Argus Server Configuration
Create Decoders and Rules - Create a decoder file: touch /var/ossec/etc/decoders/grype_decoders.xml Add the following content: ^Grype:
grype-decoder “(.+)”,”(.+)”,”(.+)”,”(.+)” image, package, version, vulnerability_id, severity - Create a rules file: touch /var/ossec/etc/rules/grype_rules.xml Add the following rules:
grype-decoder Grype alert detected.
100101 Critical Grype alert [Critical]: Vulnerability ‘$(vulnerability_id)’ detected in package ‘$(package)’ version ‘$(version)’ on container image ‘$(image)’. - Restart the Argus manager: systemctl restart wazuh-manager
Visualizing Vulnerability Alerts on Argus Dashboard - Navigate to Search > Discover.
- Use the query
rule.groups:grype
to filter Grype alerts. - Add relevant fields (e.g.,
agent.name
,data.image
,data.severity
) as columns.
Filtering by Severity
- Critical Alerts: rule.groups:grype and rule.id:100102
- High Alerts: rule.groups:grype and rule.id:100103
Save filtered queries for easy access.