Skip to content

feat: register RapidFort as a vulnerability provider#947

Open
vaibhav-rf wants to merge 1 commit intoanchore:mainfrom
vaibhav-rf:feat/add-rapidfort-advisories
Open

feat: register RapidFort as a vulnerability provider#947
vaibhav-rf wants to merge 1 commit intoanchore:mainfrom
vaibhav-rf:feat/add-rapidfort-advisories

Conversation

@vaibhav-rf
Copy link
Copy Markdown

Summary

Registers the rapidfort provider in grype-db so that RapidFort security
advisories are included in every database build and validated by the
quality gate.

The provider implementation lives in the vunnel repo. This PR is the
grype-db-side registration only — two lines across two config files.

Changes

config/grype-db/publish-nightly-r2.yaml

Added rapidfort to the provider list so it is pulled and ingested on every
nightly build run alongside all other OS advisory providers.

- name: rapidfort

config/grype-db-manager/include.d/validate.yaml

Added rapidfort to expected-providers so the quality gate fails if the
provider is missing from a built database.

- rapidfort

What the provider produces

  • Namespaces: rapidfort-ubuntu:<version>, rapidfort-alpine:<version>
    (Red Hat support exists in the parser but advisory data is Ubuntu + Alpine
    for this release)
  • Source: shallow clone of https://github.com/rapidfort/security-advisories
  • Volume: ~1,760 advisory files (~1,427 Ubuntu, ~329 Alpine) as of first run
  • Namespace isolation: provider-prefixed namespaces keep RapidFort advisories
    separate from standard upstream distro scans in Grype

Dependencies

  • Requires the rapidfort vunnel provider to be available in the vunnel Docker
    image used by the nightly pipeline

Test plan

  • Nightly build includes rapidfort in provider output without errors
  • grype-db-manager validate passes with rapidfort present in built DB
  • Quality gate F1 regression stays within 15% threshold
  • Scanning a RapidFort-curated Ubuntu or Alpine image resolves
    rapidfort-ubuntu:* / rapidfort-alpine:* namespaces correctly

Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
@vaibhav-rf vaibhav-rf force-pushed the feat/add-rapidfort-advisories branch from 56a2a89 to 8836ca3 Compare March 31, 2026 04:44
@vaibhav-rf vaibhav-rf marked this pull request as ready for review March 31, 2026 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant