From 9873ccc79a5d0eb6a8c8f06079ff8642c5fc0467 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Fri, 20 Mar 2026 10:41:40 +0200
Subject: [PATCH 1/7] chore: migrate from Trivy to Grype for vulnerability
 scanning

Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2
for vulnerability scanning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/_security-checks.yml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml
index 6f5bef3de..b03d80b05 100644
--- a/.github/workflows/_security-checks.yml
+++ b/.github/workflows/_security-checks.yml
@@ -4,22 +4,21 @@ on:
 permissions:
   contents: read
 jobs:
-  trivy:
-    name: Trivy
+  grype:
+    name: Grype
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Scan repo
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        id: grype-scan
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
         with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          scanners: 'vuln,secret,config'
-          exit-code: '1'
-          ignore-unfixed: 'true'
-          severity: 'MEDIUM,HIGH,CRITICAL'
+          path: "."
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: "medium"
 
   npm-audit:
     name: PNPM Audit

From 3fb55121a456e36962760c403b5177407c9f5a7b Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Fri, 20 Mar 2026 10:30:18 +0100
Subject: [PATCH 2/7] chore: set table format

---
 .github/workflows/_security-checks.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml
index b03d80b05..00f24d4f8 100644
--- a/.github/workflows/_security-checks.yml
+++ b/.github/workflows/_security-checks.yml
@@ -19,6 +19,7 @@ jobs:
           fail-build: true
           only-fixed: true
           severity-cutoff: "medium"
+          output-format: "table"
 
   npm-audit:
     name: PNPM Audit

From 414bf029fe2272363b3d55343a0f6302c89b9fc8 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 26 Mar 2026 10:16:28 +0100
Subject: [PATCH 3/7] format

---
 .github/workflows/_security-checks.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml
index 00f24d4f8..7fa5d0990 100644
--- a/.github/workflows/_security-checks.yml
+++ b/.github/workflows/_security-checks.yml
@@ -15,11 +15,11 @@ jobs:
         id: grype-scan
         uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
         with:
-          path: "."
+          path: '.'
           fail-build: true
           only-fixed: true
-          severity-cutoff: "medium"
-          output-format: "table"
+          severity-cutoff: 'medium'
+          output-format: 'table'
 
   npm-audit:
     name: PNPM Audit

From 4f01447a16b68e0a9c40c051dd392884ee24e65a Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 26 Mar 2026 12:22:59 +0100
Subject: [PATCH 4/7] chore: grype exclude files

---
 .grype.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .grype.yaml

diff --git a/.grype.yaml b/.grype.yaml
new file mode 100644
index 000000000..36e5bc1ab
--- /dev/null
+++ b/.grype.yaml
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Grype configuration for toolhive-react.
+# - node_modules/: lock file is the source of truth; scanning installed packages is redundant.
+# - dist/:         build artifacts, not source packages.
+
+exclude:
+  - '**/node_modules/**'
+  - '**/dist/**'
+  - '**/bin/**'
+  - '**/out/**'
+  - '**/.webpack/**'
+  - '**/coverage/**'
+  - '**/playwright-report/**'
+  - '**/test-results/**'
+  - '**/test-videos/**'
+  - '**/.vite/**'
+  - '**/.cache/**'

From 6be1136412e9ac2095c1f981b98452268a5023e9 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 26 Mar 2026 12:38:50 +0100
Subject: [PATCH 5/7] chore: add only-fixed to grype config for consistent
 local behaviour

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .grype.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.grype.yaml b/.grype.yaml
index 36e5bc1ab..17722fcaa 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -5,6 +5,8 @@
 # - node_modules/: lock file is the source of truth; scanning installed packages is redundant.
 # - dist/:         build artifacts, not source packages.
 
+only-fixed: true
+
 exclude:
   - '**/node_modules/**'
   - '**/dist/**'

From 807133b23ccc39a27fbc463dc3357ab177af6ae7 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 26 Mar 2026 12:38:57 +0100
Subject: [PATCH 6/7] chore: add comment to explain only-fixed setting

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .grype.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.grype.yaml b/.grype.yaml
index 17722fcaa..4388550e5 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -5,6 +5,7 @@
 # - node_modules/: lock file is the source of truth; scanning installed packages is redundant.
 # - dist/:         build artifacts, not source packages.
 
+# Only report vulnerabilities that have a fix available — unfixed ones are noise with no actionable remedy.
 only-fixed: true
 
 exclude:

From c20dcb39533281662f8c5adc624d7135ae2d78cc Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 26 Mar 2026 12:39:43 +0100
Subject: [PATCH 7/7] chore: update grype config comments and remove redundant
 only-fixed from workflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/_security-checks.yml | 1 -
 .grype.yaml                            | 7 +++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml
index 7fa5d0990..a36dfe16a 100644
--- a/.github/workflows/_security-checks.yml
+++ b/.github/workflows/_security-checks.yml
@@ -17,7 +17,6 @@ jobs:
         with:
           path: '.'
           fail-build: true
-          only-fixed: true
           severity-cutoff: 'medium'
           output-format: 'table'
 
diff --git a/.grype.yaml b/.grype.yaml
index 4388550e5..0767c27db 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -2,8 +2,11 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 # Grype configuration for toolhive-react.
-# - node_modules/: lock file is the source of truth; scanning installed packages is redundant.
-# - dist/:         build artifacts, not source packages.
+# - node_modules/:        lock file is the source of truth; scanning installed packages is redundant.
+# - dist/, out/:          build artifacts produced by Vite / Electron Forge.
+# - bin/:                 downloaded binaries (e.g. thv), scanned by their own pipelines.
+# - .webpack/, .vite/, .cache/: build-tool caches, not source packages.
+# - coverage/, playwright-report/, test-results/, test-videos/: test output, not source packages.
 
 # Only report vulnerabilities that have a fix available — unfixed ones are noise with no actionable remedy.
 only-fixed: true