Skip to content

chore: migrate from Trivy to Grype for vulnerability scanning#1772

Open
JAORMX wants to merge 2 commits intomainfrom
chore/migrate-trivy-to-grype
Open

chore: migrate from Trivy to Grype for vulnerability scanning#1772
JAORMX wants to merge 2 commits intomainfrom
chore/migrate-trivy-to-grype

Conversation

@JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Mar 20, 2026

Summary

  • Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2 for vulnerability scanning

Test plan

  • Verify Grype scan runs successfully in CI

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings March 20, 2026 08:43
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the reusable GitHub Actions “Security Checks” workflow from Trivy to Anchore Grype (via anchore/scan-action) to perform repository vulnerability scanning in CI.

Changes:

  • Replaced aquasecurity/trivy-action with anchore/scan-action (Grype) pinned to v7.3.2.
  • Updated scan configuration to filesystem scanning at path: ".", failing the build on findings above the cutoff and considering only fixed vulnerabilities.

.github/workflows/_security-checks.yml
Comment on lines 14 to +21
- name: Scan repo
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
id: grype-scan
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,config'
exit-code: '1'
ignore-unfixed: 'true'
severity: 'MEDIUM,HIGH,CRITICAL'
path: "."
fail-build: true
only-fixed: true
severity-cutoff: "medium"
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This migration drops the previous secret and config scanning that was done by Trivy (scanners: vuln,secret,config), so the workflow now only performs vulnerability scanning. If that broader coverage was intentional, consider adding equivalent secret/config scanning as separate jobs/steps (or configuring anchore tooling to cover those areas) so we don't regress CI security checks.

Copilot uses AI. Check for mistakes.
.github/workflows/_security-checks.yml

- name: Scan repo
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
id: grype-scan
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step id: grype-scan doesn't appear to be referenced by any later steps/outputs in this workflow. Consider removing the unused step id to reduce noise, or add a follow-up step that consumes its outputs (e.g., to upload a report) if that was the intent.

Suggested change
id: grype-scan

Copilot uses AI. Check for mistakes.
@peppescg
Copy link
Collaborator

peppescg commented Mar 20, 2026

@JAORMX a rebase is needed

@JAORMX @claude @peppescg
chore: migrate from Trivy to Grype for vulnerability scanning
9873ccc 
Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2
for vulnerability scanning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@peppescg peppescg force-pushed the chore/migrate-trivy-to-grype branch from d2dfe7e to 9873ccc Compare March 20, 2026 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JAORMX @peppescg