CCM-17525: Use grype properly#226
Open
aidenvaines-cgi wants to merge 24 commits into
Open
Conversation
timireland
reviewed
Jul 8, 2026
|
|
||
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
| DEFAULT_TOOLING_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" | ||
| TOOLING_ROOT="${TOOLING_ROOT:-${DEFAULT_TOOLING_ROOT}}" |
Contributor
There was a problem hiding this comment.
Is this line now redundant
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts the shared “scan-dependencies” workflow (SBOM + Grype) so that scans always produce reports/summaries, while making the blocking failure conditional (via a PR label) and adding a manual pre-commit hook to run the same scan locally.
Changes:
- Refactors Grype execution to support configurable
--fail-onbehavior and improves the markdown summary output (adds vulnerability IDs, truncation, optional severity filtering). - Adds a manual-only
scan-dependenciespre-commit hook (and exposes it via.pre-commit-hooks.yaml) plus documentation for local use. - Updates the composite GitHub Action so it always generates/uploads artifacts and only skips the final blocking failure when a configured PR label is present.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/reports/scan-vulnerabilities.sh | Adds GRYPE_FAIL_ON_SEVERITY support and tweaks Grype invocation/config handling. |
| scripts/reports/parse-vulnerabilities.sh | Enhances markdown output (ID column, truncation) and adds an optional “Critical/High only” mode. |
| scripts/githooks/scan-dependencies.sh | New manual hook to run SBOM + vulnerability scan locally and fail on High/Critical findings. |
| scripts/config/syft.yaml | Excludes Terraform cache directories to reduce false positives in SBOM generation. |
| scripts/config/pre-commit.yaml | Registers the new manual-only scan-dependencies hook. |
| docs/pre-commit-hooks.md | Documents how to configure and run the new manual hook. |
| docs/github-actions/scan-dependencies.md | Updates action documentation (artifacts always produced; skip-label behavior; ignore file notes). |
| .pre-commit-hooks.yaml | Exposes scan-dependencies as a consumable hook for downstream repos. |
| .github/actions/scan-dependencies/action.yaml | Changes skip-label semantics to only bypass the final failing step; always generates/uploads outputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| grype \ | ||
| sbom:"$PWD/sbom-repository-report.json" \ | ||
| --config "$TOOLING_ROOT/scripts/config/grype.yaml" \ | ||
| --config "$PWD/scripts/config/grype.yaml" \ |
| "$image" \ | ||
| sbom:/workdir/sbom-repository-report.json \ | ||
| --config /tooling/scripts/config/grype.yaml \ | ||
| --config /workdir/scripts/config/grype.yaml \ |
Comment on lines
18
to
+19
| REPORT_FILE="$1" | ||
| FILTER_CRITICAL_HIGH_ONLY="${2:-false}" |
| cd "$(git rev-parse --show-toplevel)" | ||
|
|
||
| export BUILD_DATETIME="${BUILD_DATETIME:-$(date -u +'%Y-%m-%dT%H:%M:%S%z')}" | ||
| export GRYPE_FAIL_ON_SEVERITY="${GRYPE_FAIL_ON_SEVERITY:-high}" |
| [[ -f sbom-repository-report.json ]] && echo " ✓ SBOM created" || echo " ✗ SBOM not found" | ||
|
|
||
| echo "Step 2: Scanning vulnerabilities..." | ||
| "${TOOLING_ROOT}/scripts/reports/scan-vulnerabilities.sh" || true |
Comment on lines
+28
to
+40
| if [[ -n "$REPORT_FILE" ]]; then | ||
| "${TOOLING_ROOT}/scripts/reports/parse-vulnerabilities.sh" "$REPORT_FILE" "true" | ||
|
|
||
| # Check if Critical or High vulnerabilities exist and fail | ||
| CRITICAL_COUNT=$(jq '[.matches[] | select(.vulnerability.severity == "Critical") | {id: .vulnerability.id, package: .artifact.name, version: .artifact.version}] | unique_by([.id, .package, .version]) | length' "$REPORT_FILE") | ||
| HIGH_COUNT=$(jq '[.matches[] | select(.vulnerability.severity == "High") | {id: .vulnerability.id, package: .artifact.name, version: .artifact.version}] | unique_by([.id, .package, .version]) | length' "$REPORT_FILE") | ||
|
|
||
| if [[ "$CRITICAL_COUNT" -gt 0 || "$HIGH_COUNT" -gt 0 ]]; then | ||
| echo "" | ||
| echo "❌ Found $CRITICAL_COUNT Critical and $HIGH_COUNT High severity vulnerabilities" | ||
| exit 1 | ||
| fi | ||
| fi |
| - Checks: Known vulnerabilities (CVEs) | ||
| - Reports: Security advisories | ||
| - Alerts: High-risk dependencies | ||
| - Checks: Known vulnerabilities or CVE |
timireland
reviewed
Jul 8, 2026
|
|
||
| ### Ignore File | ||
|
|
||
| If a repository contains a root-level `.grypeignore`, each non-comment line is treated as a Grype vulnerability ID to suppress. For example: |
Contributor
There was a problem hiding this comment.
is this still correct ? - Thought grype.yaml file is used
timireland
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Shuffle the check workflow around a little to account for the grype exclusions in the grype.yaml
Updates docs for the Scan-deps shared action
Adds a new pre-commit-hook for scan-dependencies so that consuming repos can run the scan adhoc
Adds a make target for running said hook manually. its not automatic as it does take a few seconds
Hides the .terraform and terraform plugin-cache from Syft to avoid false positives
Adds a CVE/ID for the vulns found, corrects markdown linting and description truncating for output
Adds a filter for just showing High and
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.