refactor(supply-chain): replace Trivy with Grype in promote-core scan gate#236
Conversation
… gate PR #229 removed Trivy after its release infrastructure was compromised in March 2026; promote-core re-introduced it with an unresolved #VERIFY. Swap it for Grype (anchore), consistent with #229, so the pre-publish scan gate is Grype + Snyk. Grype is installed by pinned version (0.115.0) and verified by sha256 before extraction, matching the crane install pattern in the same job (the swap's rationale is supply-chain hygiene, so a curl|sh from a mutable branch would be self-defeating). The trivy_severities input is replaced by grype_fail_on (default high); the gate writes SARIF and fails closed at or above the threshold before any public push (RT-4). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 41 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR ReviewPREMISE: OK — this completes the #229 Trivy removal that #234 had re-introduced under an unresolved Verified clean. No Critical or Important findings. Key external verification (the one load-bearing supply-chain claim):
Suggested (optional):
Informational:
Review tooling note: CodeRabbit's check is green but its review did not run (rate-limited: "Review limit reached"). Do not treat that green check as review coverage. Copilot posted no submission. 🤖 Generated with Claude Code |
Mirror the adjacent Snyk step's RAD convention: annotate that the Grype gate assumes grype 0.115.0 supports the docker-archive: input scheme and sarif= output format. Comment-only; no behavior change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|



Summary
promote-core(#234) re-introduced Trivy in its pre-publish scan gate, carrying an unresolved#VERIFY: PR #229 had removed Trivy after its release infrastructure was compromised in March 2026. Per the decision to favor supply-chain hygiene over re-vetting, this swaps Trivy for Grype (anchore), so the gate is now Grype + Snyk.What changed
aquasecurity/trivy-actionstep with a Grype install + scan in thescanjob.0.115.0) and verified by sha256 before extraction, matching thecraneinstall pattern already in the same job. The swap's entire rationale is supply-chain hygiene, so acurl | shfrom a mutable install script would be self-defeating; the binary is fetched from the pinned release and checksum-checked.trivy_severities(CRITICAL,HIGH) is replaced bygrype_fail_on(defaulthigh). Grype's--fail-onexits non-zero at or above the threshold, before any public push (RT-4). SARIF is still written and uploaded (category: grype-<image_id>).Compatibility
The
trivy_severitiestogrype_fail_onrename changes theworkflow_callinput surface, butpromote-corewas added in #234 and has never shipped in a published tag (the latest releasev1.3.1predates it). No@v1or@v1.xconsumer pins this input, so this is correctly a non-breakingrefactor, notrefactor!. Marking it breaking would also auto-cut a spurious major tag viarelease-tag.yml, which all consumers pin through@v1.Validation
yaml.safe_loadparses clean;actionlintclean; all pre-commit hooks pass.mainafter fix(supply-chain): pass --source-digest from promote-core to the lock updater #235 merged; both promote-core corrections (source-digest contract fix + this Grype swap) coexist with no conflict (different jobs).Context
Second of the P3 validation-driven fixes to
promote-core. With #235 (merged) and this, the shared core's scan-then-publish-then-lock path is correct and policy-compliant, clearing the way to wire the first container-images mirror caller (bake mode).Generated with Claude Code