Skip to content

refactor(supply-chain): replace Trivy with Grype in promote-core scan gate#236

Merged
williaby merged 2 commits into
mainfrom
refactor/promote-core-grype
Jun 30, 2026
Merged

refactor(supply-chain): replace Trivy with Grype in promote-core scan gate#236
williaby merged 2 commits into
mainfrom
refactor/promote-core-grype

Conversation

@williaby

@williaby williaby commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

promote-core (#234) re-introduced Trivy in its pre-publish scan gate, carrying an unresolved #VERIFY: PR #229 had removed Trivy after its release infrastructure was compromised in March 2026. Per the decision to favor supply-chain hygiene over re-vetting, this swaps Trivy for Grype (anchore), so the gate is now Grype + Snyk.

What changed

  • Replaced the aquasecurity/trivy-action step with a Grype install + scan in the scan job.
  • Grype is pinned by version (0.115.0) and verified by sha256 before extraction, matching the crane install pattern already in the same job. The swap's entire rationale is supply-chain hygiene, so a curl | sh from a mutable install script would be self-defeating; the binary is fetched from the pinned release and checksum-checked.
  • Input trivy_severities (CRITICAL,HIGH) is replaced by grype_fail_on (default high). Grype's --fail-on exits non-zero at or above the threshold, before any public push (RT-4). SARIF is still written and uploaded (category: grype-<image_id>).
  • The two remaining "Trivy" mentions are deliberate history notes explaining the feat(python-sbom)!: cut over runtime CVE gate from Trivy to Grype (#152) #229 to Grype lineage.

Compatibility

The trivy_severities to grype_fail_on rename changes the workflow_call input surface, but promote-core was added in #234 and has never shipped in a published tag (the latest release v1.3.1 predates it). No @v1 or @v1.x consumer pins this input, so this is correctly a non-breaking refactor, not refactor!. Marking it breaking would also auto-cut a spurious major tag via release-tag.yml, which all consumers pin through @v1.

Validation

Context

Second of the P3 validation-driven fixes to promote-core. With #235 (merged) and this, the shared core's scan-then-publish-then-lock path is correct and policy-compliant, clearing the way to wire the first container-images mirror caller (bake mode).

Generated with Claude Code

… gate

PR #229 removed Trivy after its release infrastructure was compromised in
March 2026; promote-core re-introduced it with an unresolved #VERIFY. Swap it
for Grype (anchore), consistent with #229, so the pre-publish scan gate is
Grype + Snyk.

Grype is installed by pinned version (0.115.0) and verified by sha256 before
extraction, matching the crane install pattern in the same job (the swap's
rationale is supply-chain hygiene, so a curl|sh from a mutable branch would be
self-defeating). The trivy_severities input is replaced by grype_fail_on
(default high); the gate writes SARIF and fails closed at or above the
threshold before any public push (RT-4).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 41 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 112e4af2-c2a9-40dd-ad59-639ac113f94d

📥 Commits

Reviewing files that changed from the base of the PR and between 83cc391 and 23f5a9d.

📒 Files selected for processing (1)
  • .github/workflows/supply-chain-promote-core.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/promote-core-grype

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@williaby

Copy link
Copy Markdown
Collaborator Author

PR Review

PREMISE: OK — this completes the #229 Trivy removal that #234 had re-introduced under an unresolved #VERIFY. Well-justified, no regression, no collision.

Verified clean. No Critical or Important findings.

Key external verification (the one load-bearing supply-chain claim):

  • Grype 0.115.0 checksum 3fad92940650e514c0aa2dad83526942a055e210cec09a8a59d9c024adc2b90e matches anchore's official signed grype_0.115.0_checksums.txt for grype_0.115.0_linux_amd64.tar.gz.
  • Release v0.115.0 exists (published 2026-06-26, latest stable).
  • Gate fails closed and blocks pre-publish: publish needs: scan, so a Grype failure (or DB-fetch failure) stops promotion (RT-4 preserved). SARIF upload is guarded by if: always() && hashFiles(...). Scan reads the archive via docker-archive: (no docker.sock, consistent with the syft RT-8 pattern).

Suggested (optional):

  • The Grype gate step omits a #VERIFY marker for grype's docker-archive:/sarif= support, while the adjacent Snyk step uses that convention. Adding one line keeps RAD-convention parity. No functional defect (grype 0.115.0 supports both, confirmed).

Informational:

  • This reusable workflow has no caller in CI, so the Grype install/scan path is validated statically only (actionlint, yaml), not executed on this PR. First real exercise is when the container-images mirror caller is wired.
  • Input interface change: trivy_severities removed, grype_fail_on added. Breaking for any workflow_call consumer, but none exist yet, so impact is zero.

Review tooling note: CodeRabbit's check is green but its review did not run (rate-limited: "Review limit reached"). Do not treat that green check as review coverage. Copilot posted no submission.

🤖 Generated with Claude Code

Mirror the adjacent Snyk step's RAD convention: annotate that the Grype
gate assumes grype 0.115.0 supports the docker-archive: input scheme and
sarif= output format. Comment-only; no behavior change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@williaby williaby added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit bec4d9f Jun 30, 2026
38 of 39 checks passed
@williaby williaby deleted the refactor/promote-core-grype branch June 30, 2026 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant