Skip to content

CCM-17525: Use grype properly#226

Open
aidenvaines-cgi wants to merge 24 commits into
mainfrom
CCM-17525_useGrypeProperly
Open

CCM-17525: Use grype properly#226
aidenvaines-cgi wants to merge 24 commits into
mainfrom
CCM-17525_useGrypeProperly

Conversation

@aidenvaines-cgi

@aidenvaines-cgi aidenvaines-cgi commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Description

Shuffle the check workflow around a little to account for the grype exclusions in the grype.yaml
Updates docs for the Scan-deps shared action
Adds a new pre-commit-hook for scan-dependencies so that consuming repos can run the scan adhoc
Adds a make target for running said hook manually. its not automatic as it does take a few seconds
Hides the .terraform and terraform plugin-cache from Syft to avoid false positives
Adds a CVE/ID for the vulns found, corrects markdown linting and description truncating for output
Adds a filter for just showing High and

Context

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

@aidenvaines-cgi aidenvaines-cgi requested a review from a team as a code owner July 8, 2026 12:06
@aidenvaines-cgi aidenvaines-cgi changed the title Ccm 17525 use grype properly CCM-17525: Use grype properly Jul 8, 2026

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
DEFAULT_TOOLING_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
TOOLING_ROOT="${TOOLING_ROOT:-${DEFAULT_TOOLING_ROOT}}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this line now redundant

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the shared “scan-dependencies” workflow (SBOM + Grype) so that scans always produce reports/summaries, while making the blocking failure conditional (via a PR label) and adding a manual pre-commit hook to run the same scan locally.

Changes:

  • Refactors Grype execution to support configurable --fail-on behavior and improves the markdown summary output (adds vulnerability IDs, truncation, optional severity filtering).
  • Adds a manual-only scan-dependencies pre-commit hook (and exposes it via .pre-commit-hooks.yaml) plus documentation for local use.
  • Updates the composite GitHub Action so it always generates/uploads artifacts and only skips the final blocking failure when a configured PR label is present.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
scripts/reports/scan-vulnerabilities.sh Adds GRYPE_FAIL_ON_SEVERITY support and tweaks Grype invocation/config handling.
scripts/reports/parse-vulnerabilities.sh Enhances markdown output (ID column, truncation) and adds an optional “Critical/High only” mode.
scripts/githooks/scan-dependencies.sh New manual hook to run SBOM + vulnerability scan locally and fail on High/Critical findings.
scripts/config/syft.yaml Excludes Terraform cache directories to reduce false positives in SBOM generation.
scripts/config/pre-commit.yaml Registers the new manual-only scan-dependencies hook.
docs/pre-commit-hooks.md Documents how to configure and run the new manual hook.
docs/github-actions/scan-dependencies.md Updates action documentation (artifacts always produced; skip-label behavior; ignore file notes).
.pre-commit-hooks.yaml Exposes scan-dependencies as a consumable hook for downstream repos.
.github/actions/scan-dependencies/action.yaml Changes skip-label semantics to only bypass the final failing step; always generates/uploads outputs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

grype \
sbom:"$PWD/sbom-repository-report.json" \
--config "$TOOLING_ROOT/scripts/config/grype.yaml" \
--config "$PWD/scripts/config/grype.yaml" \
"$image" \
sbom:/workdir/sbom-repository-report.json \
--config /tooling/scripts/config/grype.yaml \
--config /workdir/scripts/config/grype.yaml \
Comment on lines 18 to +19
REPORT_FILE="$1"
FILTER_CRITICAL_HIGH_ONLY="${2:-false}"
cd "$(git rev-parse --show-toplevel)"

export BUILD_DATETIME="${BUILD_DATETIME:-$(date -u +'%Y-%m-%dT%H:%M:%S%z')}"
export GRYPE_FAIL_ON_SEVERITY="${GRYPE_FAIL_ON_SEVERITY:-high}"
[[ -f sbom-repository-report.json ]] && echo " ✓ SBOM created" || echo " ✗ SBOM not found"

echo "Step 2: Scanning vulnerabilities..."
"${TOOLING_ROOT}/scripts/reports/scan-vulnerabilities.sh" || true
Comment on lines +28 to +40
if [[ -n "$REPORT_FILE" ]]; then
"${TOOLING_ROOT}/scripts/reports/parse-vulnerabilities.sh" "$REPORT_FILE" "true"

# Check if Critical or High vulnerabilities exist and fail
CRITICAL_COUNT=$(jq '[.matches[] | select(.vulnerability.severity == "Critical") | {id: .vulnerability.id, package: .artifact.name, version: .artifact.version}] | unique_by([.id, .package, .version]) | length' "$REPORT_FILE")
HIGH_COUNT=$(jq '[.matches[] | select(.vulnerability.severity == "High") | {id: .vulnerability.id, package: .artifact.name, version: .artifact.version}] | unique_by([.id, .package, .version]) | length' "$REPORT_FILE")

if [[ "$CRITICAL_COUNT" -gt 0 || "$HIGH_COUNT" -gt 0 ]]; then
echo ""
echo "❌ Found $CRITICAL_COUNT Critical and $HIGH_COUNT High severity vulnerabilities"
exit 1
fi
fi
- Checks: Known vulnerabilities (CVEs)
- Reports: Security advisories
- Alerts: High-risk dependencies
- Checks: Known vulnerabilities or CVE

### Ignore File

If a repository contains a root-level `.grypeignore`, each non-comment line is treated as a Grype vulnerability ID to suppress. For example:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this still correct ? - Thought grype.yaml file is used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants