chore: migrate from Trivy to Grype for vulnerability scanning by JAORMX · Pull Request #154 · StacklokLabs/mkp

JAORMX · 2026-03-20T08:42:17Z

Summary

Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2 for vulnerability scanning
Grype provides equivalent vulnerability detection capabilities
Remove IaC/config scan job (not supported by Grype)

Test plan

Verify Grype scan runs successfully in CI
Check that SARIF results appear in Security tab

🤖 Generated with Claude Code

.github/workflows/security.yml

+    name: Grype Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+      - name: Run Grype vulnerability scanner
+        id: grype-scan
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
        with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          path: "."
+          only-fixed: true
+          output-format: "sarif"
+          severity-cutoff: "high"
+          fail-build: false

-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Grype scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4
        if: always()
        with:
-          sarif_file: 'trivy-results.sarif'
-          category: 'trivy-fs'
-
-      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
-        with:
-          scan-type: 'config'
-          hide-progress: false
-          format: 'sarif'
-          output: 'trivy-config-results.sarif'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH'
-
-      - name: Upload Trivy IaC scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4
-        if: always()
-        with:
-          sarif_file: 'trivy-config-results.sarif'
-          category: 'trivy-config'
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}


In general, the fix is to explicitly declare a permissions block in the workflow, using the least privileges needed. For a security scanning job that checks out the code and uploads SARIF results to GitHub’s Security tab, the job needs read access to the repository contents and security events. The minimal and appropriate set is typically contents: read and security-events: write (the latter is required for uploading SARIF).

The best way to fix this without changing functionality is to add a permissions block at the job level under grype-scan:. This scopes the permissions just to this job and avoids affecting any other jobs that might be added later. Concretely, in .github/workflows/security.yml, under jobs:, and indented to align with runs-on, add:

permissions: contents: read security-events: write

This preserves the workflow’s behavior (checkout still works; SARIF upload still works) while constraining the GITHUB_TOKEN to only what is needed.

github-advanced-security · 2026-03-20T08:43:04Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2 for vulnerability scanning. Grype provides equivalent vulnerability detection capabilities. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

github-advanced-security bot found potential problems Mar 20, 2026

View reviewed changes

JAORMX force-pushed the chore/migrate-trivy-to-grype branch from d48c0ff to 9753159 Compare March 20, 2026 09:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: migrate from Trivy to Grype for vulnerability scanning#154

chore: migrate from Trivy to Grype for vulnerability scanning#154
JAORMX wants to merge 1 commit intomainfrom
chore/migrate-trivy-to-grype

JAORMX commented Mar 20, 2026

Uh oh!

Check warning

Copilot Autofix

github-advanced-security bot commented Mar 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

@@ -10,6 +10,9 @@
               grype-scan:
                 name: Grype Security Scan
                 runs-on: ubuntu-latest
+                permissions:
+                  contents: read
+                  security-events: write
                 steps:
                   - name: Checkout code
                     uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

Conversation

JAORMX commented Mar 20, 2026

Summary

Test plan

Uh oh!

Check warning

Copilot Autofix

github-advanced-security bot commented Mar 20, 2026

What Enabling Code Scanning Means:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant