Migrate from Trivy to Grype for scanning (#321)

* migration to grype
* adjustments to the jq for enrichment to ensure naming conventions are maintained
* init move from trivy fs scan to grype directory scan
* bug fix in upload
* add archive sarif step
* for filesystem scan, use the new action/scan-filesystem

Author: St0rmz1

.github/actions/scan-filesystem/action.yml

@@ -0,0 +1,133 @@
+name: Scan Filesystem with Grype SARIF
+description: 'Scan filesystem for vulnerabilities and optionally upload the results for GitHub code scanning'
+inputs:
+  path:
+    description: 'The filesystem path to scan'
+    required: true
+    default: '.'
+  upload-sarif:
+    description: 'Whether to upload the scan results as a SARIF file'
+    required: false
+    default: 'true'
+  severity-cutoff:
+    description: 'Minimum severity to report (critical, high, medium, low, negligible)'
+    required: false
+    default: 'medium'
+  fail-build:
+    description: 'Fail the workflow if vulnerabilities are found'
+    required: false
+    default: 'true'
+  output-file:
+    description: 'Output file name for SARIF results'
+    required: false
+    default: 'results.sarif'
+  timeout-minutes:
+    description: 'Maximum time in minutes to wait for the scan to complete'
+    required: false
+    default: '30'
+  retention-days:
+    description: 'Number of days to retain the scan results artifact'
+    required: false
+    default: '90'
+  category-prefix:
+    description: 'Prefix to use for the SARIF category name'
+    required: false
+    default: 'filesystem-scan-'
+  only-fixed:
+    description: 'Only report vulnerabilities that have a fix available'
+    required: false
+    default: 'true'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Scan filesystem with Grype
+      uses: anchore/scan-action@v6
+      id: scan
+      continue-on-error: ${{ inputs.fail-build != 'true' }}
+      with:
+        path: "${{ inputs.path }}"
+        fail-build: "${{ inputs.fail-build }}"
+        severity-cutoff: "${{ inputs.severity-cutoff }}"
+        output-format: sarif
+        output-file: "${{ inputs.output-file }}"
+        by-cve: true
+        only-fixed: "${{ inputs.only-fixed }}"
+
+    - name: Check scan status
+      if: steps.scan.outcome == 'failure' && inputs.fail-build == 'true'
+      shell: bash
+      run: |
+        echo "::error::Scan failed for path ${{ inputs.path }}"
+        echo "Please check the scan logs above for details"
+        exit 1
+
+    - name: Enrich or generate SARIF
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      shell: bash
+      run: |
+        if [ ! -f ${{ inputs.output-file }} ]; then
+          echo "No SARIF file found — creating minimal empty SARIF"
+          echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"Anchore Grype","informationUri":"https://github.com/anchore/grype","rules":[]}},"results":[],"properties":{"isFallbackSarif":true}}]}' > ${{ inputs.output-file }}
+        fi
+
+        # Validate SARIF file before enrichment
+        if ! jq empty ${{ inputs.output-file }}; then
+          echo "::error::Invalid SARIF file detected"
+          exit 1
+        fi
+
+        # Create a backup of the original file
+        cp ${{ inputs.output-file }} ${{ inputs.output-file }}.bak
+
+        # Attempt to enrich the SARIF file
+        if ! jq --arg path "${{ inputs.path }}" \
+           --arg repo "replicatedhq/ekco" \
+           --arg scanTime "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
+           '
+           .runs[0].properties = {
+              "scanPath": $path,
+              "repository": $repo,
+              "scanTime": $scanTime,
+              "DisplayName": ["filesystem:", $path] | join(""),
+              "UniqueID": ["filesystem:", $path] | join(""),
+              "scanMetadata": {
+                "path": $path,
+                "annotations": {
+                  "scanTime": $scanTime,
+                  "tool": "grype",
+                  "toolVersion": "latest"
+                }
+              }
+            }' ${{ inputs.output-file }} > enriched-results.sarif; then
+          echo "::error::Failed to enrich SARIF file"
+          # Restore the backup
+          mv ${{ inputs.output-file }}.bak ${{ inputs.output-file }}
+          exit 1
+        fi
+
+        # Validate the enriched file
+        if ! jq empty enriched-results.sarif; then
+          echo "::error::Invalid enriched SARIF file"
+          # Restore the backup
+          mv ${{ inputs.output-file }}.bak ${{ inputs.output-file }}
+          exit 1
+        fi
+
+        mv enriched-results.sarif ${{ inputs.output-file }}
+        rm -f ${{ inputs.output-file }}.bak
+
+    - name: Upload SARIF file
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ inputs.output-file }}
+        category: '${{ inputs.category-prefix }}filesystem'
+
+    - name: Archive scan results
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: "sarif-filesystem"
+        path: ${{ inputs.output-file }}
+        retention-days: ${{ inputs.retention-days }}

.github/actions/scan-image/action.yml

@@ -0,0 +1,173 @@
+name: Scan Container Image Grype SARIF
+description: 'Scan a container image for vulnerabilities and optionally upload the results for GitHub code scanning'
+inputs:
+  image-ref:
+    description: 'The image to scan'
+    required: true
+  upload-sarif:
+    description: 'Whether to upload the scan results as a SARIF file'
+    required: false
+    default: 'true'
+  severity-cutoff:
+    description: 'Minimum severity to report (critical, high, medium, low, negligible)'
+    required: false
+    default: 'medium'
+  fail-build:
+    description: 'Fail the workflow if vulnerabilities are found'
+    required: false
+    default: 'true'
+  output-file:
+    description: 'Output file name for SARIF results'
+    required: false
+    default: 'results.sarif'
+  timeout-minutes:
+    description: 'Maximum time in minutes to wait for the scan to complete'
+    required: false
+    default: '30'
+  retention-days:
+    description: 'Number of days to retain the scan results artifact'
+    required: false
+    default: '90'
+  category-prefix:
+    description: 'Prefix to use for the SARIF category name'
+    required: false
+    default: 'image-scan-'
+  only-fixed:
+    description: 'Only report vulnerabilities that have a fix available'
+    required: false
+    default: 'true'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Extract image details
+      id: image_details
+      shell: bash
+      run: |
+        IMAGE_NAME=$(echo "${{ inputs.image-ref }}" | cut -d':' -f1)
+        IMAGE_TAG=$(echo "${{ inputs.image-ref }}" | cut -d':' -f2)
+        [[ "$IMAGE_TAG" == "$IMAGE_NAME" ]] && IMAGE_TAG="latest"
+        SAFE_NAME=$(echo "${IMAGE_NAME}-${IMAGE_TAG}" | sed 's/[\/:]/-/g')
+        {
+          echo "image_name=${IMAGE_NAME}"
+          echo "image_tag=${IMAGE_TAG}"
+          echo "safe_name=${SAFE_NAME}"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Scan image with Grype
+      uses: anchore/scan-action@v6
+      id: scan
+      continue-on-error: ${{ inputs.fail-build != 'true' }}
+      with:
+        image: "${{ inputs.image-ref }}"
+        fail-build: "${{ inputs.fail-build }}"
+        severity-cutoff: "${{ inputs.severity-cutoff }}"
+        output-format: sarif
+        output-file: "${{ inputs.output-file }}"
+        by-cve: true
+        only-fixed: "${{ inputs.only-fixed }}"
+
+    - name: Check scan status
+      if: steps.scan.outcome == 'failure' && inputs.fail-build == 'true'
+      shell: bash
+      run: |
+        echo "::error::Scan failed for image ${{ inputs.image-ref }}"
+        echo "Please check the scan logs above for details"
+        exit 1
+
+    - name: Enrich or generate SARIF
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      shell: bash
+      run: |
+        if [ ! -f ${{ inputs.output-file }} ]; then
+          echo "No SARIF file found — creating minimal empty SARIF"
+          echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"Anchore Grype","informationUri":"https://github.com/anchore/grype","rules":[]}},"results":[],"properties":{"isFallbackSarif":true}}]}' > ${{ inputs.output-file }}
+        fi
+
+        # Validate SARIF file before enrichment
+        if ! jq empty ${{ inputs.output-file }}; then
+          echo "::error::Invalid SARIF file detected"
+          exit 1
+        fi
+
+        # Create a backup of the original file
+        cp ${{ inputs.output-file }} ${{ inputs.output-file }}.bak
+
+        # Attempt to enrich the SARIF file
+        if ! jq --arg imageRef "${{ inputs.image-ref }}" \
+           --arg repo "replicatedhq/ekco" \
+           --arg name "${{ steps.image_details.outputs.image_name }}" \
+           --arg tag "${{ steps.image_details.outputs.image_tag }}" \
+           --arg scanTime "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
+           --arg fullName "replicatedhq/${{ steps.image_details.outputs.image_name }}" \
+           '
+           def strip_registry:
+             if startswith("docker.io/") then
+               sub("^docker\\.io/"; "")
+             else
+               .
+             end;
+           def make_asset_id:
+             "image:" + (. | strip_registry);
+           def make_full_ref:
+             if contains("/") then . else "replicatedhq/" + . end;
+           .runs[0].properties = {
+              "imageRef": ($fullName + ":" + $tag),
+              "repository": $repo,
+              "scanTime": $scanTime,
+              "DisplayName": ($fullName + ":" + $tag | make_asset_id),
+              "UniqueID": ($fullName + ":" + $tag | make_asset_id),
+              "imageMetadata": {
+                "name": $fullName,
+                "tag": $tag,
+                "annotations": {
+                  "scanTime": $scanTime,
+                  "tool": "grype",
+                  "toolVersion": "latest"
+                }
+              }
+            } |
+           .runs[0].results[] |= (
+             if .locations then
+               .locations[].logicalLocations[].fullyQualifiedName |= 
+                 if contains("docker.io/") then
+                   .
+                 else
+                   "docker.io/" + ($fullName + ":" + $tag) + 
+                   "@" + (. | split("@")[1])
+                 end
+             else
+               .
+             end
+           )' ${{ inputs.output-file }} > enriched-results.sarif; then
+          echo "::error::Failed to enrich SARIF file"
+          # Restore the backup
+          mv ${{ inputs.output-file }}.bak ${{ inputs.output-file }}
+          exit 1
+        fi
+
+        # Validate the enriched file
+        if ! jq empty enriched-results.sarif; then
+          echo "::error::Invalid enriched SARIF file"
+          # Restore the backup
+          mv ${{ inputs.output-file }}.bak ${{ inputs.output-file }}
+          exit 1
+        fi
+
+        mv enriched-results.sarif ${{ inputs.output-file }}
+        rm -f ${{ inputs.output-file }}.bak
+
+    - name: Upload SARIF file
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ inputs.output-file }}
+        category: '${{ inputs.category-prefix }}${{ steps.image_details.outputs.safe_name }}'
+
+    - name: Archive scan results
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: "sarif-${{ steps.image_details.outputs.safe_name }}"
+        path: ${{ inputs.output-file }}
+        retention-days: ${{ inputs.retention-days }}

.github/workflows/scheduled-scan.yaml

@@ -6,44 +6,41 @@ on:
 
 jobs:
   scan:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Run Trivy filesystem vulnerability scanner
+      - name: Run Grype filesystem vulnerability scanner
         id: scan
-        uses: aquasecurity/trivy-action@0.29.0
+        uses: ./.github/actions/scan-filesystem
         with:
-          scan-type: 'fs'
-          format: 'sarif'
-          output: 'trivy-filesystem-results.sarif'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-      - name: Upload Trivy filesystem scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-filesystem-results.sarif'
+          path: '.'
+          fail-build: 'true'
+          severity-cutoff: 'medium'
+          output-file: 'grype-filesystem-results.sarif'
+          only-fixed: 'true'
+          retention-days: '90'
+          category-prefix: 'filesystem-scan-'
 
   scan-image:
-    runs-on: ubuntu-22.04
+    name: Scan image for vulnerabilities
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Build image
         run: make docker-image DOCKER_IMAGE=ekco:nightly
-      - name: Run Trivy image vulnerability scanner
-        uses: aquasecurity/trivy-action@0.29.0
+      - name: Run Grype image vulnerability scanner
+        uses: ./.github/actions/scan-image
         with:
+          category-prefix: 'image-scan'
           image-ref: 'ekco:nightly'
-          format: 'sarif'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          output: 'trivy-image-results.sarif'
-      - name: Upload Trivy image scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-image-results.sarif'
+          only-fixed: 'true'
+          output-file: 'ekco-image-results.sarif'
+          retention-days: '90'
+          severity-cutoff: 'medium'
+          upload-sarif: 'true'