Skip to content

Add Grype Habitat package scan workflow with build and install modes#34

Open
sandhi18 wants to merge 3 commits intomainfrom
sandhi/add-hab-grype
Open

Add Grype Habitat package scan workflow with build and install modes#34
sandhi18 wants to merge 3 commits intomainfrom
sandhi/add-hab-grype

Conversation

@sandhi18
Copy link
Contributor

@sandhi18 sandhi18 commented Mar 12, 2026
edited
Loading

Description

This pull request introduces a new Grype scan workflow for Habitat packages and refines vulnerability reporting in the Polaris SAST workflow. The most significant changes are the addition of configurable inputs and a dedicated job for scanning Habitat packages, as well as updates to vulnerability severity handling and reporting.

Grype Habitat package scan enhancements:

  • Added new inputs to .github/workflows/ci-main-pull-request.yml to support scanning Habitat packages, including options for origin, package, version, release, channel, and platform-specific scans (Linux, Windows, MacOS).
  • Introduced a new job run-grype-hab-package-scan in .github/workflows/ci-main-pull-request.yml that leverages a shared workflow to perform Grype scans on Habitat packages, with support for building from source or downloading from Builder.
  • Updated workflow logic to output detailed information about the Grype Habitat package scan configuration during CI runs.

Vulnerability reporting improvements:

  • Modified Polaris SAST workflow to only comment on CRITICAL and HIGH vulnerabilities, removing MEDIUM from severity reporting and related logic. [1] [2] [3]

Grype scan configuration change:

  • Updated .github/workflows/grype.yml to use the --only-fixed flag for Grype scans, ensuring that only vulnerabilities with available fixes are reported.

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@sandhi18 sandhi18 force-pushed the sandhi/add-hab-grype branch 9 times, most recently from a4bd75f to 12e7024 Compare March 17, 2026 12:50
@sandhi18 sandhi18 force-pushed the sandhi/add-hab-grype branch 5 times, most recently from 0360cbb to cd701ec Compare March 17, 2026 13:13
@sandhi18
Only fixed vulnerabilities
84601da 
Signed-off-by: sandhi <sagarwal@progress.com>
@sandhi18 sandhi18 force-pushed the sandhi/add-hab-grype branch from cd701ec to 84601da Compare March 17, 2026 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianLoomis brianLoomis Awaiting requested review from brianLoomis brianLoomis is a code owner

@sean-sype-simmons sean-sype-simmons Awaiting requested review from sean-sype-simmons sean-sype-simmons is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sandhi18