add-grype (#29)

general/dev#56

Reviewed-on: #29
Co-authored-by: fedy95 <fedy95@protonmail.com>
Co-committed-by: fedy95 <fedy95@protonmail.com>

.drone.yml

@@ -29,7 +29,7 @@ steps:
     when:
       event: pull_request
 
-  - name: trivy security check
+  - name: trivy security scan
     image: aquasec/trivy
     volumes:
       - name: dockersock
@@ -45,6 +45,24 @@ steps:
     when:
       event: pull_request
 
+  - name: grype security scan
+    image: docker:dind
+    volumes:
+      - name: dockersock
+        path: /var/run/docker.sock
+    environment:
+      REGISTRY: registry.fedy95.com
+    commands:
+      - apk add --no-cache curl
+      - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
+        sh -s -- -b /usr/local/bin"
+      - "grype $REGISTRY/baseimage-yamllint:$DRONE_COMMIT_SHA \
+         --scope all-layers \
+         --fail-on=critical \
+         --verbose"
+    when:
+      event: pull_request
+
   - name: cleanup
     image: docker:dind
     volumes:
@@ -55,7 +73,6 @@ steps:
     when:
       event: pull_request
 
-
   - name: release
     image: docker:dind
     volumes:

README.md

@@ -6,4 +6,7 @@ Baseimage for CI tasks
 
 - [yamllint git](https://github.com/adrienverge/yamllint)
 - [alpine](https://pkgs.alpinelinux.org/packages?name=yamllint)
+
+### security scanners
 - [trivy](https://github.com/aquasecurity/trivy)
+- [grype](https://github.com/anchore/grype)