From 2a481498b9738ffad8f51c9daf40e012d11a767b Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Fri, 20 Mar 2026 10:57:48 +0200
Subject: [PATCH] chore: migrate from Trivy to Grype for vulnerability scanning

Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2.
Remove config scanning (not supported by Grype).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/code-checks.yml |  4 ++--
 .github/workflows/security.yml    | 35 ++++++++-----------------------
 2 files changed, 11 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml
index 4bf8487..4445a01 100644
--- a/.github/workflows/code-checks.yml
+++ b/.github/workflows/code-checks.yml
@@ -13,8 +13,8 @@ jobs:
   code_quality_cli:
     name: Code Quality CLI
     uses: ./.github/workflows/code-quality-cli.yml
-  trivy_security:
-    name: TrivySecurity Scan
+  grype_security:
+    name: Grype Security Scan
     uses: ./.github/workflows/security.yml
   image_build:
     name: Build Docker Image
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index f29da97..f59c419 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   filesystem-scan:
-    name: Trivy Filesystem Scan
+    name: Grype Filesystem Scan
     runs-on: ubuntu-latest
     timeout-minutes: 10
 
@@ -19,29 +19,12 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+    - name: Run Grype vulnerability scanner
+      id: grype-scan
+      uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
       with:
-        scan-type: 'fs'
-        scan-ref: '.'
-        format: 'table'
-        severity: 'CRITICAL,HIGH,MEDIUM'
-        exit-code: '1'
-
-  config-scan:
-    name: Trivy Config Scan
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-    - name: Run Trivy configuration scanner
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
-      with:
-        scan-type: 'config'
-        scan-ref: '.'
-        format: 'table'
-        severity: 'CRITICAL,HIGH,MEDIUM'
-        exit-code: '1'
+        path: "."
+        output-format: "table"
+        severity-cutoff: "medium"
+        only-fixed: true
+        fail-build: true