Skip to content

add grype scan action. enable for 1 scan job in alpha build for testing #5267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Apr 10, 2025
Merged

add grype scan action. enable for 1 scan job in alpha build for testing #5267

merged 18 commits into from
Apr 10, 2025

Conversation

St0rmz1
Copy link
Contributor

@St0rmz1 St0rmz1 commented Apr 9, 2025
edited
Loading

What this PR does / why we need it:

Updates to how we run security scans on images

  • New reusable action scan-image
  • All scans use grype instead of Trivy
  • Added a default .grype config
  • The alpha.yaml workflow uses the new scan-image action, with feature parity we previously had
  • Sarif files will always be generated, regardless of types or numbers of vulns found
  • All Sarif gets enriched via the properties section, which is intended to be used a customizable field per the Sarif spec
  • image ref, name, tags are now uniform
  • daily-image-scans.yml is used to run daily scans on the existing images we have published on dockerhub (only the most recent 'versioned' release. Meaning we don't scan the nightly or alpha releases with this job.

Which issue(s) this PR fixes:

NONE

Does this PR require a test?

NONE

Does this PR require a release note?

NONE

Does this PR require documentation?

NONE

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

St0rmz1 added 14 commits April 9, 2025 11:22
@St0rmz1
remove the if false we had put in for initial testing
f5f1fdc
@St0rmz1
move the remaining scan jobs to use the new action
52be841
@St0rmz1
modifications to the jq enrichment to maintain naming format consiste…
1c0febc 
…ncy across repos
@St0rmz1
put the test workflow dispatch back in place
08d86dd
@St0rmz1
make this use the action instead of the old reusable workflow
1c0a2e6
@St0rmz1
handle case if we can't access the image. ex when we have cut a relea…
88a59e9 
…se, but its not on dockerhub yet
@St0rmz1
handle if file not found aka couldn't generate a scan result
63b4691
@St0rmz1
Merge remote-tracking branch 'origin/main' into St0rmz1/chore/move-sc…
548dfb4 
…an-action
@St0rmz1
ci: trigger build
e491b83
@St0rmz1
remove old scan job
ef0df28
@St0rmz1
add additional images to scan
8627616
@St0rmz1
remove dispatch. returning to orig setting
c3d44df
@St0rmz1
use dotenv to get the right image tags
ce63ae5
@St0rmz1
name change
3a465cd
@St0rmz1 St0rmz1 marked this pull request as ready for review April 10, 2025 01:41
@St0rmz1 St0rmz1 requested a review from sgalsaleh April 10, 2025 14:44
@St0rmz1 St0rmz1 merged commit f36d6df into main Apr 10, 2025
95 checks passed
@St0rmz1 St0rmz1 deleted the St0rmz1/chore/move-scan-action branch April 10, 2025 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgalsaleh sgalsaleh sgalsaleh approved these changes

Assignees
No one assigned
Labels
type::chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@St0rmz1 @sgalsaleh