feat: CHEF-33010 - Added grype scan config (#41)

Nik08 · Copilot · web-flow · commit 7ee700c6e866 · 2026-04-01T01:55:53.000+05:30
* feat(CHEF-33010): Added grype scan config

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Signed-off-by: Nik08 &lt;nikita.mathur@progress.com&gt;

* CHEF-33010 Fix SBOM pipeline: add run-bundle-install to generate Gemfile.lock at runtime

Signed-off-by: Nikita Mathur &lt;nikita.mathur@progress.com&gt;

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;

---------

Signed-off-by: Nik08 &lt;nikita.mathur@progress.com&gt;
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml
@@ -107,6 +107,11 @@ jobs:
       perform-trufflehog-scan: true
       fail-trufflehog-on-secrets-found: true
       perform-trivy-scan: true
+
+      # grype vulnerability scanning
+      perform-grype-scan: true
+      grype-fail-on-high: true
+      grype-fail-on-critical: true
              
       # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
       build: true
@@ -170,12 +175,12 @@ jobs:
       license_scout: false      # Run license scout for license compliance (uses .license_scout.yml)
 
       # perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk
-      perform-blackduck-sca-scan: true
-      run-bundle-install: true # combined with generate sbom & generate github-sbom, also needs version above
+      perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
+      run-bundle-install: true # generate Gemfile.lock at runtime for SBOM pipeline
       blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
       blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
       blackduck-force-low-accuracy-mode: true # if true, forces BlackDuck Detect to run in low accuracy mode which can reduce scan time for large projects at the cost of potentially missing some vulnerabilities; see https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/1138617921/Black+Duck+Detect+Accuracy+Levels for details
       
       # udf1: 'default' # user defined flag 1
       # udf2: 'default' # user defined flag 2 
-      # udf3: 'default' # user defined flag 3  
+      # udf3: 'default' # user defined flag 3
