automated commit

Signed-off-by: Public copy <41898282+github-actions[bot]@users.noreply.github.com>

images/apko/examples/wolfi-base.yaml

@@ -6,4 +6,4 @@ cmd: /bin/sh -l
 
 # optional environment configuration
 environment:
-  PATH: /usr/sbin:/sbin:/usr/bin:/bin
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

images/grype/README.md

@@ -32,17 +32,22 @@ Be sure to replace the `ORGANIZATION` placeholder with the name used for your or
 <!--getting:end-->
 
 <!--body:start-->
-- [Documentation](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype)
-- [Provenance Information](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype/provenance_info/)
-<!-- TODO: add Getting Started Guide - [Getting Started Guide](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype/getting-started-grype/) -->
-
 ## Image Variants
 
 Our `latest` tag uses the most recent build of the [Wolfi grype](https://github.com/wolfi-dev/os/blob/main/grype.yaml) package. The following tagged variant is available without authentication:
 
 - `latest`: This is an image for running `grype` commands. It does not include a shell or other applications.
 
-### grype help
+### Compatibility Notes
+
+Chainguard's `grype` image is comparable to the [official grype Image.](hub.docker.com/r/anchore/grype) but with the following changes:
+* We use a different entrypoint `/usr/bin/grype` as compared to the upstream's endpoint `/grype`.
+* We use a different `CMD` which is `help` whereas the upstream leaves it unset.
+* We don't define any WorkingDir whereas the upstream sets it to `/tmp`.
+
+### Getting Started
+
+#### grype help
 This will automatically pull the image to your local system and execute the command `grype help`:
 
 ```shell
@@ -73,6 +78,12 @@ You can also pipe in Syft JSON directly:
 Usage:
   grype [command]
 ```
+
+### Documentation and Resources
+
+* [Grype's Official Getting Started](https://github.com/anchore/grype?tab=readme-ov-file#getting-started)
+* [Documentation](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype)
+* [Provenance Information](https://edu.chainguard.dev/chainguard/chainguard-images/reference/grype/provenance_info/)
 <!--body:end-->
 
 ## Contact Support

images/grype/tests/smoke.sh

@@ -11,15 +11,29 @@ docker run --rm "${image}" help
 docker run --rm "${image}" version
 
 # Test db status and update
-docker run --rm "${image}" db update
+docker run --rm "${image}" db update | grep -E "(updated|update)"
 
-# Test scanning various images
-# Use a known minimal image
-docker run --rm "${image}" cgr.dev/chainguard/static:latest
+# Test scanning a known minimal image
+docker run --rm "${image}" cgr.dev/chainguard/static:latest | grep -E "(No vulnerabilities found|VULNERABILITY)"
 
 # Test scanning with different output formats
-docker run --rm "${image}" cgr.dev/chainguard/static:latest -o table
-docker run --rm "${image}" cgr.dev/chainguard/static:latest -o json
+docker run --rm "${image}" cgr.dev/chainguard/static:latest -o table | grep -E "(No vulnerabilities found|VULNERABILITY)"
+docker run --rm "${image}" cgr.dev/chainguard/static:latest -o json | jq .
 
-# Test scanning with specific severity threshold
-docker run --rm "${image}" cgr.dev/chainguard/static:latest --fail-on high
+# Test image with vulnerabilities
+docker run --rm "${image}" golang | grep -E "(No vulnerabilities found|VULNERABILITY)"
+
+# Test scanning with all layers (include every image layer)
+docker run --rm "${image}" cgr.dev/chainguard/static:latest --scope all-layers | grep -E "(No vulnerabilities found|VULNERABILITY)"
+
+# Test scanning a container image archive
+docker pull cgr.dev/chainguard/static:latest
+docker save cgr.dev/chainguard/static:latest -o testimage.tar
+docker run --rm -v testimage.tar:/testimage.tar "${image}" /testimage.tar | grep -E "(No vulnerabilities found|VULNERABILITY)"
+
+# Test scanning with only fixed or not-fixed vulnerabilities
+docker run --rm "${image}" cgr.dev/chainguard/static:latest --only-fixed | grep -E "(No vulnerabilities found|VULNERABILITY)"
+docker run --rm "${image}" cgr.dev/chainguard/static:latest --only-notfixed | grep -E "(No vulnerabilities found|VULNERABILITY)"
+
+# Test scanning while excluding specific paths
+docker run --rm "${image}" cgr.dev/chainguard/static:latest --exclude '/etc/**' | grep -E "(No vulnerabilities found|VULNERABILITY)"

images/laravel/config/main.tf

@@ -42,9 +42,6 @@ output "config" {
         }
       ]
     },
-    "environment" : {
-      "PATH" : "/usr/sbin:/sbin:/usr/bin:/bin"
-    },
     "paths" : [
       {
         "path" : "/app",

images/node/config/main.tf

@@ -33,7 +33,6 @@ output "config" {
     "accounts" : module.accts.block,
     "environment" : {
       "NPM_CONFIG_UPDATE_NOTIFIER" : "false",
-      "PATH" : "/usr/sbin:/sbin:/usr/bin:/bin"
     },
     "paths" : [
       {

images/php/config/fpm/main.tf

@@ -33,9 +33,6 @@ output "config" {
     },
     "work-dir" : "/app",
     "accounts" : module.accts.block,
-    "environment" : {
-      "PATH" : "/usr/sbin:/sbin:/usr/bin:/bin"
-    },
     "paths" : [
       {
         "path" : "/app",

images/php/config/main.tf

@@ -30,9 +30,6 @@ output "config" {
     },
     "work-dir" : "/app",
     "accounts" : module.accts.block,
-    "environment" : {
-      "PATH" : "/usr/sbin:/sbin:/usr/bin:/bin"
-    },
     "paths" : [
       {
         "path" : "/app",

images/wordpress/config/main.tf

@@ -65,9 +65,6 @@ output "config" {
     entrypoint = { command = "php-fpm" }
     work-dir   = "/var/www/html"
     paths      = var.wp-paths
-    environment = {
-      PATH = "/usr/sbin:/sbin:/usr/bin:/bin"
-    }
   })
 }
 
@@ -93,9 +90,6 @@ output "config-dev" {
       permissions = 493,
       }
     ])
-    environment = {
-      PATH = "/usr/sbin:/sbin:/usr/bin:/bin"
-    }
   })
 }