Skip to content

chore: migrate from Trivy to Grype for vulnerability scanning#448

Open
JAORMX wants to merge 1 commit intomainfrom
chore/migrate-trivy-to-grype
Open

chore: migrate from Trivy to Grype for vulnerability scanning#448
JAORMX wants to merge 1 commit intomainfrom
chore/migrate-trivy-to-grype

Conversation

@JAORMX
Copy link

@JAORMX JAORMX commented Mar 20, 2026

Summary

  • Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2

Test plan

  • Verify Grype scan runs successfully in CI

🤖 Generated with Claude Code

@JAORMX @claude
chore: migrate from Trivy to Grype for vulnerability scanning
fdc5080 
Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 20, 2026 08:57
@github-actions github-actions bot added the size/XS Extra small PR: < 100 lines changed label Mar 20, 2026
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the repository CI vulnerability scanning workflow from Trivy to Grype (via anchore/scan-action), updating the GitHub Actions security checks accordingly.

Changes:

  • Replaced aquasecurity/trivy-action with anchore/scan-action pinned to v7.3.2.
  • Updated scan configuration to filesystem path scanning with build-fail thresholds and fixed-only findings.

.github/workflows/security-checks.yml
Comment on lines +19 to +23
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
id: grype-scan
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,config'
exit-code: '1'
ignore-unfixed: 'true'
severity: 'MEDIUM,HIGH,CRITICAL'
path: "."
fail-build: true
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This migration drops the previous Trivy checks for secret and config scanning (it now runs only Grype vulnerability scanning). If those checks are still desired under this "Security Checks" workflow, add equivalent steps/tools (e.g., a dedicated secret scanner + IaC/config misconfig scanner) or explicitly document that this workflow is now vuln-only to avoid an unintentional security coverage regression.

Copilot uses AI. Check for mistakes.
.github/workflows/security-checks.yml
- name: Scan repo
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
id: grype-scan
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step id: grype-scan is currently unused in this workflow. Consider removing it to reduce noise, or use it (e.g., to reference outputs) if you intend to consume scan results later in the job.

Suggested change
id: grype-scan

Copilot uses AI. Check for mistakes.
peppescg
peppescg approved these changes Mar 20, 2026
View reviewed changes
Copy link
Collaborator

@peppescg peppescg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@peppescg
Copy link
Collaborator

peppescg commented Mar 20, 2026

I am going to fix the vulns in a next pr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@peppescg peppescg peppescg approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/XS Extra small PR: < 100 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JAORMX @peppescg