Skip to content

Commit 12e7024

Browse files
sandhi18sandhi18
committed
Only fixed vulnerabilities
Signed-off-by: sandhi <sagarwal@progress.com>
1 parent 0645fa2 commit 12e7024

4 files changed

Lines changed: 45 additions & 29 deletions

File tree

.github/workflows/ci-main-pull-request.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -963,7 +963,7 @@ jobs:
963963
run-grype-image:
964964
name: 'Grype Docker image scan'
965965
if: ${{ inputs.perform-grype-image-scan }}
966-
uses: chef/common-github-actions/.github/workflows/grype.yml@main
966+
uses: chef/common-github-actions/.github/workflows/grype.yml@sandhi/add-hab-grype
967967
needs: checkout
968968
secrets: inherit
969969
with:

.github/workflows/grype-hab-package-scan.yml

Lines changed: 40 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,9 @@ jobs:
155155
source results/last_build.env
156156
cat results/last_build.env
157157
echo "BUILT_PACKAGE=${pkg_ident}" >> $GITHUB_ENV
158+
echo "BUILT_PKG_PATH=/hab/pkgs/${pkg_ident}" >> $GITHUB_ENV
158159
echo "Built package: ${pkg_ident}"
160+
echo "Installed Path: /hab/pkgs/${pkg_ident}"
159161
160162
- name: Install Grype
161163
continue-on-error: true
@@ -208,25 +210,23 @@ jobs:
208210
# Use built package if available, otherwise use input package name
209211
if [ -n "${BUILT_PACKAGE}" ]; then
210212
SCAN_PACKAGE="${BUILT_PACKAGE}"
211-
PKG_PATH="/hab/pkgs/${SCAN_PACKAGE}"
213+
# PKG_PATH="/hab/pkgs/${SCAN_PACKAGE}"
214+
PKG_PATH="${BUILT_PKG_PATH}"
212215
else
213216
SCAN_PACKAGE="${{ inputs.hab_origin }}/${{ inputs.hab_package }}"
214217
PKG_PATH=$(hab pkg path ${SCAN_PACKAGE})
215218
fi
216219
217220
echo "Scanning package at: ${PKG_PATH}"
218221
219-
# Run grype scan (display in logs)
220-
grype dir:$PKG_PATH --name ${SCAN_PACKAGE}
221-
222222
# Save results to files
223223
OUTPUT_FILE="grype-results-linux-${SCAN_PACKAGE}.txt"
224224
OUTPUT_FILE="${OUTPUT_FILE//\//-}"
225-
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} > $OUTPUT_FILE
225+
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed --output table > $OUTPUT_FILE
226226
227227
JSON_FILE="grype-results-linux-${SCAN_PACKAGE}.json"
228228
JSON_FILE="${JSON_FILE//\//-}"
229-
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --output json > $JSON_FILE
229+
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed --output json > $JSON_FILE
230230
231231
echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV
232232
echo "JSON_FILE=$JSON_FILE" >> $GITHUB_ENV
@@ -335,8 +335,14 @@ jobs:
335335
if: ${{ inputs.build_package == true }}
336336
run: |
337337
. ./results/last_build.ps1
338+
cat ./results/last_build.ps1
339+
$PkgIdentPath = $pkg_ident -replace '/', '\'
340+
$RepoName = "${{ github.event.repository.name }}"
341+
$InstalledPath = "D:\hab\studios\a--${RepoName}--${RepoName}\hab\pkgs\$PkgIdentPath"
338342
echo "BUILT_PACKAGE=$pkg_ident" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
343+
echo "BUILT_PKG_PATH=$InstalledPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
339344
Write-Host "Built package: $pkg_ident"
345+
Write-Host "Installed Path: $InstalledPath"
340346
341347
- name: Install Grype (Windows)
342348
continue-on-error: true
@@ -352,6 +358,15 @@ jobs:
352358
echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
353359
354360
& "$grypeDir\grype.exe" version
361+
362+
# Create grype config to ignore unfixable vulnerabilities
363+
@"
364+
match:
365+
exclude:
366+
- fix-state: wont-fix
367+
- fix-state: not-fixed
368+
- fix-state: unknown
369+
"@ | Out-File -FilePath ".grype.yaml" -Encoding utf8
355370
356371
- name: Generate Artifact Name
357372
run: |
@@ -393,25 +408,23 @@ jobs:
393408
# Use built package if available, otherwise use input package name
394409
if ($env:BUILT_PACKAGE) {
395410
$ScanPackage = $env:BUILT_PACKAGE
396-
$PkgPath = "D:\\hab\\studios\\a--${{ inputs.hab_package }}--${{ inputs.hab_package }}\/hab/pkgs/${ScanPackage}"
411+
# $PkgPath = "D:\\hab\\studios\\a--${{ inputs.hab_package }}--${{ inputs.hab_package }}\/hab/pkgs/${ScanPackage}"
412+
$PkgPath = $env:BUILT_PKG_PATH
397413
} else {
398414
$ScanPackage = "${{ inputs.hab_origin }}/${{ inputs.hab_package }}"
399415
$PkgPath = hab pkg path $ScanPackage
400416
}
401417
402418
Write-Host "Scanning package at: $PkgPath"
403419
404-
# Run grype scan (display in logs)
405-
grype dir:$PkgPath --name $ScanPackage
406-
407420
# Save results to files
408421
$OutputFile = "grype-results-windows-$ScanPackage.txt"
409422
$OutputFile = $OutputFile -replace '/', '-'
410-
grype dir:$PkgPath --name $ScanPackage | Out-File -FilePath $OutputFile -Encoding utf8
423+
grype dir:$PkgPath --name $ScanPackage --only-fixed --output table | Out-File -FilePath $OutputFile -Encoding utf8
411424
412425
$JsonFile = "grype-results-windows-$ScanPackage.json"
413426
$JsonFile = $JsonFile -replace '/', '-'
414-
grype dir:$PkgPath --name $ScanPackage --output json | Out-File -FilePath $JsonFile -Encoding utf8
427+
grype dir:$PkgPath --name $ScanPackage --only-fixed --output json | Out-File -FilePath $JsonFile -Encoding utf8
415428
416429
echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
417430
echo "JSON_FILE=$JsonFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
@@ -522,12 +535,23 @@ jobs:
522535
run: |
523536
source results/last_build.env
524537
echo "BUILT_PACKAGE=${pkg_ident}" >> $GITHUB_ENV
538+
echo "BUILT_PKG_PATH=/hab/pkgs/${pkg_ident}" >> $GITHUB_ENV
525539
echo "Built package: ${pkg_ident}"
540+
echo "Installed Path: /hab/pkgs/${pkg_ident}"
526541
527542
- name: Install Grype
528543
continue-on-error: true
529544
run: |
530545
curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin
546+
547+
# Create grype config to ignore unfixable vulnerabilities
548+
cat > .grype.yaml << 'EOF'
549+
match:
550+
exclude:
551+
- fix-state: wont-fix
552+
- fix-state: not-fixed
553+
- fix-state: unknown
554+
EOF
531555
532556
- name: Generate Artifact Name
533557
run: |
@@ -568,24 +592,23 @@ jobs:
568592
# Use built package if available, otherwise use input package name
569593
if [ -n "${BUILT_PACKAGE}" ]; then
570594
SCAN_PACKAGE="${BUILT_PACKAGE}"
595+
PKG_PATH="${BUILT_PKG_PATH}"
571596
else
572597
SCAN_PACKAGE="${{ inputs.hab_origin }}/${{ inputs.hab_package }}"
598+
PKG_PATH=$(hab pkg path ${SCAN_PACKAGE})
573599
fi
574600
575-
PKG_PATH=$(hab pkg path ${SCAN_PACKAGE})
576601
echo "Scanning package at: ${PKG_PATH}"
577602
578-
# Run grype scan (display in logs)
579-
grype dir:$PKG_PATH --name ${SCAN_PACKAGE}
580603
581604
# Save results to files
582605
OUTPUT_FILE="grype-results-macos-${SCAN_PACKAGE}.txt"
583606
OUTPUT_FILE="${OUTPUT_FILE//\//-}"
584-
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} > $OUTPUT_FILE
607+
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed --output table > $OUTPUT_FILE
585608
586609
JSON_FILE="grype-results-macos-${SCAN_PACKAGE}.json"
587610
JSON_FILE="${JSON_FILE//\//-}"
588-
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --output json > $JSON_FILE
611+
grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed --output json > $JSON_FILE
589612
590613
echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV
591614
echo "JSON_FILE=$JSON_FILE" >> $GITHUB_ENV

.github/workflows/grype.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -125,8 +125,8 @@ jobs:
125125
for IMAGE_NAME in $IMAGES; do
126126
echo ""
127127
echo "Scanning Docker image: $IMAGE_NAME"
128-
grype "$IMAGE_NAME" --name "$SCAN_NAME-$(basename $IMAGE_NAME)" --output json >> grype-scan.json
129-
grype "$IMAGE_NAME" --name "$SCAN_NAME-$(basename $IMAGE_NAME)" --output table >> grype-scan.log || true
128+
grype "$IMAGE_NAME" --name "$SCAN_NAME-$(basename $IMAGE_NAME)" --only-fixed --output json >> grype-scan.json
129+
grype "$IMAGE_NAME" --name "$SCAN_NAME-$(basename $IMAGE_NAME)" --only-fixed --output table >> grype-scan.log || true
130130
done
131131
132132
- name: Check Grype results and fail if vulnerabilities found

.github/workflows/polaris-sast.yml

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -229,7 +229,7 @@ jobs:
229229
polaris_prComment_enabled: true
230230
polaris_branch_parent_name: 'main'
231231
polaris_branch_name: ${{ inputs.github-branch-name }}
232-
polaris_prComment_severities: "CRITICAL,HIGH,MEDIUM"
232+
polaris_prComment_severities: "CRITICAL,HIGH"
233233
github_token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
234234
continue-on-error: false
235235

@@ -276,15 +276,13 @@ jobs:
276276
# Extract total vulnerability counts from log
277277
HIGH_COUNT=$(grep -oP '"high":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo "0")
278278
CRITICAL_COUNT=$(grep -oP '"critical":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo "0")
279-
MEDIUM_COUNT=$(grep -oP '"medium":\s*\K\d+' "$BRIDGE_LOG" | tail -1 || echo "0")
280279
281-
echo "Found total issues - HIGH: $HIGH_COUNT, CRITICAL: $CRITICAL_COUNT, MEDIUM: $MEDIUM_COUNT"
280+
echo "Found total issues - HIGH: $HIGH_COUNT, CRITICAL: $CRITICAL_COUNT"
282281
fi
283282
284283
# Ensure counts are numeric
285284
HIGH_COUNT=${HIGH_COUNT:-0}
286285
CRITICAL_COUNT=${CRITICAL_COUNT:-0}
287-
MEDIUM_COUNT=${MEDIUM_COUNT:-0}
288286
289287
# Check for policy violations
290288
SHOULD_FAIL=false
@@ -298,11 +296,6 @@ jobs:
298296
echo "❌ Found $HIGH_COUNT HIGH vulnerabilities (policy violation)"
299297
SHOULD_FAIL=true
300298
fi
301-
302-
if [ "$MEDIUM_COUNT" -gt 0 ]; then
303-
echo "⚠️ Found $MEDIUM_COUNT MEDIUM vulnerabilities (not a policy violation but should be reviewed)"
304-
SHOULD_FAIL=true
305-
fi
306299
307300
if [ "$SHOULD_FAIL" == "true" ]; then
308301
exit 1

0 commit comments

Comments
 (0)