Skip to content

Commit 3eb62e9

Browse files
authored
fix(grype): Adds grype to the security scan (#176)
* fix(grype): Adds grype to the security scan * fix: Skip the tools gomod
1 parent ee2c485 commit 3eb62e9

2 files changed

Lines changed: 80 additions & 1 deletion

File tree

.github/workflows/_test_build_fake_prerelease.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ jobs:
5555
- shell: bash
5656
run: git tag "$TAG"
5757
- name: Download artifact from previous job
58-
uses: actions/download-artifact@v4
58+
uses: actions/download-artifact@v4.1.3
5959
with:
6060
name: windows-packages
6161
- name: Extract .exe

.github/workflows/reusable_security.yaml

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,24 @@ on:
1515
required: false
1616
type: string
1717
default: ''
18+
binary-path:
19+
description: |
20+
Path to a pre-built binary (or directory of binaries) to scan with Grype.
21+
When set, Grype scans the binary instead of the source directory, ensuring
22+
only dependencies actually shipped to customers are reported (test-only
23+
dependencies are excluded because they are not linked into the binary).
24+
The calling workflow is responsible for building the binary before invoking
25+
this workflow.
26+
When not set, Grype falls back to scanning the source directory (dir:.),
27+
which includes all go.mod dependencies regardless of whether they are
28+
test-only.
29+
required: false
30+
type: string
31+
default: ''
32+
33+
permissions:
34+
contents: read
35+
security-events: write
1836

1937
jobs:
2038
trivy:
@@ -59,3 +77,64 @@ jobs:
5977
if: ${{ github.event.schedule }} # Upload sarif when running periodically
6078
with:
6179
sarif_file: 'trivy-results.sarif'
80+
category: trivy
81+
82+
grype:
83+
name: Grype security scan
84+
runs-on: ubuntu-latest
85+
steps:
86+
- name: Checkout code
87+
uses: actions/checkout@v4
88+
89+
- name: Generate Grype exclusion config
90+
if: ${{ inputs.skip-dirs != '' || inputs.skip-files != '' }}
91+
env:
92+
SKIP_DIRS: ${{ inputs.skip-dirs }}
93+
SKIP_FILES: ${{ inputs.skip-files }}
94+
run: |
95+
{
96+
echo "exclude:"
97+
IFS=',' read -ra DIRS <<< "$SKIP_DIRS"
98+
for dir in "${DIRS[@]}"; do
99+
dir="${dir// /}"
100+
[ -n "$dir" ] && echo " - '**/$dir/**'"
101+
done
102+
IFS=',' read -ra FILES <<< "$SKIP_FILES"
103+
for file in "${FILES[@]}"; do
104+
file="${file// /}"
105+
[ -n "$file" ] && echo " - '**/$file'"
106+
done
107+
} > .grype.yaml
108+
109+
- name: Run Grype vulnerability scanner in repo mode
110+
uses: anchore/scan-action@v7
111+
if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically
112+
id: grype-inline
113+
with:
114+
path: "${{ inputs.binary-path || '.' }}"
115+
grype-config: ${{ (inputs.skip-dirs != '' || inputs.skip-files != '') && '.grype.yaml' || '' }}
116+
fail-build: true
117+
severity-cutoff: high
118+
only-fixed: true
119+
cache-db: true
120+
output-format: table
121+
122+
123+
- name: Run Grype vulnerability scanner sarif output
124+
uses: anchore/scan-action@v7
125+
if: ${{ github.event.schedule }} # Generate sarif when running periodically
126+
id: grype-sarif
127+
with:
128+
path: "${{ inputs.binary-path || '.' }}"
129+
grype-config: ${{ (inputs.skip-dirs != '' || inputs.skip-files != '') && '.grype.yaml' || '' }}
130+
output-format: sarif
131+
output-file: grype-results.sarif
132+
only-fixed: true
133+
cache-db: true
134+
135+
- name: Upload Grype scan results to GitHub Security tab
136+
uses: github/codeql-action/upload-sarif@v3
137+
if: ${{ github.event.schedule }} # Upload sarif when running periodically
138+
with:
139+
sarif_file: 'grype-results.sarif'
140+
category: grype

0 commit comments

Comments
 (0)