|
15 | 15 | required: false |
16 | 16 | type: string |
17 | 17 | default: '' |
| 18 | + binary-path: |
| 19 | + description: | |
| 20 | + Path to a pre-built binary (or directory of binaries) to scan with Grype. |
| 21 | + When set, Grype scans the binary instead of the source directory, ensuring |
| 22 | + only dependencies actually shipped to customers are reported (test-only |
| 23 | + dependencies are excluded because they are not linked into the binary). |
| 24 | + The calling workflow is responsible for building the binary before invoking |
| 25 | + this workflow. |
| 26 | + When not set, Grype falls back to scanning the source directory (dir:.), |
| 27 | + which includes all go.mod dependencies regardless of whether they are |
| 28 | + test-only. |
| 29 | + required: false |
| 30 | + type: string |
| 31 | + default: '' |
| 32 | + |
| 33 | +permissions: |
| 34 | + contents: read |
| 35 | + security-events: write |
18 | 36 |
|
19 | 37 | jobs: |
20 | 38 | trivy: |
|
59 | 77 | if: ${{ github.event.schedule }} # Upload sarif when running periodically |
60 | 78 | with: |
61 | 79 | sarif_file: 'trivy-results.sarif' |
| 80 | + category: trivy |
| 81 | + |
| 82 | + grype: |
| 83 | + name: Grype security scan |
| 84 | + runs-on: ubuntu-latest |
| 85 | + steps: |
| 86 | + - name: Checkout code |
| 87 | + uses: actions/checkout@v4 |
| 88 | + |
| 89 | + - name: Generate Grype exclusion config |
| 90 | + if: ${{ inputs.skip-dirs != '' || inputs.skip-files != '' }} |
| 91 | + env: |
| 92 | + SKIP_DIRS: ${{ inputs.skip-dirs }} |
| 93 | + SKIP_FILES: ${{ inputs.skip-files }} |
| 94 | + run: | |
| 95 | + { |
| 96 | + echo "exclude:" |
| 97 | + IFS=',' read -ra DIRS <<< "$SKIP_DIRS" |
| 98 | + for dir in "${DIRS[@]}"; do |
| 99 | + dir="${dir// /}" |
| 100 | + [ -n "$dir" ] && echo " - '**/$dir/**'" |
| 101 | + done |
| 102 | + IFS=',' read -ra FILES <<< "$SKIP_FILES" |
| 103 | + for file in "${FILES[@]}"; do |
| 104 | + file="${file// /}" |
| 105 | + [ -n "$file" ] && echo " - '**/$file'" |
| 106 | + done |
| 107 | + } > .grype.yaml |
| 108 | +
|
| 109 | + - name: Run Grype vulnerability scanner in repo mode |
| 110 | + uses: anchore/scan-action@v7 |
| 111 | + if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically |
| 112 | + id: grype-inline |
| 113 | + with: |
| 114 | + path: "${{ inputs.binary-path || '.' }}" |
| 115 | + grype-config: ${{ (inputs.skip-dirs != '' || inputs.skip-files != '') && '.grype.yaml' || '' }} |
| 116 | + fail-build: true |
| 117 | + severity-cutoff: high |
| 118 | + only-fixed: true |
| 119 | + cache-db: true |
| 120 | + output-format: table |
| 121 | + |
| 122 | + |
| 123 | + - name: Run Grype vulnerability scanner sarif output |
| 124 | + uses: anchore/scan-action@v7 |
| 125 | + if: ${{ github.event.schedule }} # Generate sarif when running periodically |
| 126 | + id: grype-sarif |
| 127 | + with: |
| 128 | + path: "${{ inputs.binary-path || '.' }}" |
| 129 | + grype-config: ${{ (inputs.skip-dirs != '' || inputs.skip-files != '') && '.grype.yaml' || '' }} |
| 130 | + output-format: sarif |
| 131 | + output-file: grype-results.sarif |
| 132 | + only-fixed: true |
| 133 | + cache-db: true |
| 134 | + |
| 135 | + - name: Upload Grype scan results to GitHub Security tab |
| 136 | + uses: github/codeql-action/upload-sarif@v3 |
| 137 | + if: ${{ github.event.schedule }} # Upload sarif when running periodically |
| 138 | + with: |
| 139 | + sarif_file: 'grype-results.sarif' |
| 140 | + category: grype |
0 commit comments