diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml index 6f5bef3de..a36dfe16a 100644 --- a/.github/workflows/_security-checks.yml +++ b/.github/workflows/_security-checks.yml @@ -4,22 +4,21 @@ on: permissions: contents: read jobs: - trivy: - name: Trivy + grype: + name: Grype runs-on: ubuntu-latest steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan repo - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + id: grype-scan + uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 with: - scan-type: 'fs' - scan-ref: '.' - scanners: 'vuln,secret,config' - exit-code: '1' - ignore-unfixed: 'true' - severity: 'MEDIUM,HIGH,CRITICAL' + path: '.' + fail-build: true + severity-cutoff: 'medium' + output-format: 'table' npm-audit: name: PNPM Audit diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 000000000..0767c27db --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc. +# SPDX-License-Identifier: Apache-2.0 +# +# Grype configuration for toolhive-react. +# - node_modules/: lock file is the source of truth; scanning installed packages is redundant. +# - dist/, out/: build artifacts produced by Vite / Electron Forge. +# - bin/: downloaded binaries (e.g. thv), scanned by their own pipelines. +# - .webpack/, .vite/, .cache/: build-tool caches, not source packages. +# - coverage/, playwright-report/, test-results/, test-videos/: test output, not source packages. + +# Only report vulnerabilities that have a fix available — unfixed ones are noise with no actionable remedy. +only-fixed: true + +exclude: + - '**/node_modules/**' + - '**/dist/**' + - '**/bin/**' + - '**/out/**' + - '**/.webpack/**' + - '**/coverage/**' + - '**/playwright-report/**' + - '**/test-results/**' + - '**/test-videos/**' + - '**/.vite/**' + - '**/.cache/**'