Create a switch for exiting non-zero if vulnerabilities are found

[luhring]

Users are going to want to use grype in their CI/CD pipelines. Typically, this will occur right after they've built a container image.

Pipelines rely on the exit status of processes to know whether the pipeline has "failed" or should continue with subsequent steps. If a process (like a linter, a compiler, a test runner, etc.) exits 1 (or some non-zero number), that communicates that this particular CI job has failed.

With grype, users should be able to ask that the process exit non-zero when vulnerabilities are found, so that their pipelines fail — intentionally.

Example:

$ grype --enforce my-image
... a list of vulnerabilities ...
$ echo $?
1

The exact name of the switch itself is up for discussion, but should be both concise and easily understood by others.

It's important that this behavior be opt-in. By default, grype should exit non-zero only when a runtime error has occurred. There are plenty of scenarios in which a user would expect grype to exit 0 even when vulnerabilities are present (for example, when the output of grype is being piped to a downstream process).

[pvnovarese]

This feels like it should have a knob to adjust the fail threshold, e.g. --failon=critical would exit with 0 unless critical items are detected, --failon=high would fail for high or critical. Alternatively, it could be a base score threshold.

[pvnovarese]

btw, I hacked this in a jenkinsfile by doing this:

sh 'grype -o json ${repository}:latest | jq .[].vulnerability.severity | tr "\n" " " | grep -qvE "Critical|High"'