📦

監査履歴

container-grype - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 06:18 AM

Static analysis found many command, network, filesystem, environment, and script patterns, but most are documentation examples for legitimate vulnerability scanning workflows. The confirmed risks are operational: some CI templates install tools with curl piped to a shell and one Jenkins example mounts the Docker socket, so publication is acceptable only with clear warnings and review guidance.

10
スキャンされたファイル
3,459
解析済み行数
9
Review items
0
False positives ignored

Confirmed security concerns (1)

Docker Socket Mounted Into Jenkins Scan Container
The Jenkins example mounts /var/run/docker.sock into the Grype container. This is sometimes required for image scanning, but it gives the scan container broad control over the Docker daemon if the container or pipeline is compromised.
The Docker socket mount is explicitly present in the Jenkins CI example. It is a legitimate operational pattern, but it materially expands pipeline privileges.
Capability review items (3)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Remote Installer Piped to Shell in CI Templates
The CircleCI and Azure examples install Grype by downloading a script from GitHub and piping it directly to a shell. This is a real supply-chain risk if users copy the templates without pinning, checksum verification, or controlled package sources.
The pattern is present in executable CI snippets and would execute remote code during builds. Confidence is high, but the context is an example template for a security scanner rather than hidden malicious behavior.
Educational Security Examples Trigger Static Patterns
Several findings are false positives from educational examples that demonstrate vulnerable patterns, CVSS concepts, CISA KEV prioritization, or remediation guidance. These examples are not executed by the skill itself.
The surrounding files are clearly templates or reference documents, and the flagged lines are used to teach detection and remediation. They should be documented, but they do not show active malicious behavior.
Normal CI Token and Local Configuration Access
The GitHub token, environment variable, .grype.yaml, cache directory, and report file reads are expected for CI security reporting and Grype configuration. No evidence found that the skill exfiltrates secrets or reads unrelated user files.
The evidence appears in CI configuration and local Grype configuration examples. It remains low risk because users may copy the templates into privileged environments.

検出されたパターン

Pipe to Shell Installation PatternPrivileged Docker Daemon AccessShell Command Examples Require Input Control
監査者: codex

監査バージョン 5

安全

Jan 16, 2026, 03:18 PM

Documentation-only skill containing markdown files and YAML configuration templates for the open-source Grype vulnerability scanner. All 332 static findings are false positives - the scanner flagged shell command examples (177), URL references (45), and environment variable patterns (27) in documentation as security issues. No executable code exists. This skill provides documentation and workflows for container vulnerability scanning but performs no actual scanning, network access, or file system operations beyond reading its own documentation files.

11
スキャンされたファイル
3,702
解析済み行数
4
Review items
0
False positives ignored
監査者: claude

監査バージョン 4

安全

Jan 16, 2026, 03:18 PM

Documentation-only skill containing markdown files and YAML configuration templates for the open-source Grype vulnerability scanner. All 332 static findings are false positives - the scanner flagged shell command examples (177), URL references (45), and environment variable patterns (27) in documentation as security issues. No executable code exists. This skill provides documentation and workflows for container vulnerability scanning but performs no actual scanning, network access, or file system operations beyond reading its own documentation files.

11
スキャンされたファイル
3,702
解析済み行数
4
Review items
0
False positives ignored
監査者: claude

監査バージョン 3

安全

Jan 10, 2026, 10:19 AM

Documentation-only skill with no executable code. Contains only markdown documentation and YAML configuration templates for the open-source Grype vulnerability scanner. No scripts, network calls, or file system access beyond its own documentation files.

10
スキャンされたファイル
3,159
解析済み行数
0
Review items
0
False positives ignored
セキュリティ問題は見つかりませんでした
監査者: claude

監査バージョン 2

安全

Jan 10, 2026, 10:19 AM

Documentation-only skill with no executable code. Contains only markdown documentation and YAML configuration templates for the open-source Grype vulnerability scanner. No scripts, network calls, or file system access beyond its own documentation files.

10
スキャンされたファイル
3,159
解析済み行数
0
Review items
0
False positives ignored
セキュリティ問題は見つかりませんでした
監査者: claude

監査バージョン 1

安全

Jan 10, 2026, 10:19 AM

Documentation-only skill with no executable code. Contains only markdown documentation and YAML configuration templates for the open-source Grype vulnerability scanner. No scripts, network calls, or file system access beyond its own documentation files.

10
スキャンされたファイル
3,159
解析済み行数
0
Review items
0
False positives ignored
セキュリティ問題は見つかりませんでした
監査者: claude