Skip to content

chore: migrate from Trivy to Grype for vulnerability scanning #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JAORMX wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: migrate from Trivy to Grype for vulnerability scanning #154

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 13 additions & 29 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,42 +7,26 @@
- cron: '0 0 * * 0' # Run weekly on Sundays at midnight

jobs:
trivy-scan:
name: Trivy Security Scan
grype-scan:
name: Grype Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
- name: Run Grype vulnerability scanner
id: grype-scan
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
path: "."
only-fixed: true
output-format: "sarif"
severity-cutoff: "high"
fail-build: false

- name: Upload Trivy scan results to GitHub Security tab
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4
if: always()
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy-fs'

- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-config-results.sarif'
exit-code: '1'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy IaC scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4
if: always()
with:
sarif_file: 'trivy-config-results.sarif'
category: 'trivy-config'
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
Comment on lines +11 to +31

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 17 hours ago

In general, the fix is to explicitly declare a permissions block in the workflow, using the least privileges needed. For a security scanning job that checks out the code and uploads SARIF results to GitHub’s Security tab, the job needs read access to the repository contents and security events. The minimal and appropriate set is typically contents: read and security-events: write (the latter is required for uploading SARIF).

The best way to fix this without changing functionality is to add a permissions block at the job level under grype-scan:. This scopes the permissions just to this job and avoids affecting any other jobs that might be added later. Concretely, in .github/workflows/security.yml, under jobs:, and indented to align with runs-on, add:

permissions:
  contents: read
  security-events: write

This preserves the workflow’s behavior (checkout still works; SARIF upload still works) while constraining the GITHUB_TOKEN to only what is needed.

Suggested changeset 1
.github/workflows/security.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -10,6 +10,9 @@
   grype-scan:
     name: Grype Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
EOF
@@ -10,6 +10,9 @@
grype-scan:
name: Grype Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
Copilot is powered by AI and may make mistakes. Always verify output.
category: "grype"
Loading