Document retrieving vulnerability scan results via the Vendor API#4224
Open
osc135 wants to merge 2 commits into
Open
Document retrieving vulnerability scan results via the Vendor API#4224osc135 wants to merge 2 commits into
osc135 wants to merge 2 commits into
Conversation
Add a how-to section to the Security Center topic covering how to retrieve Grype scan results and SBOMs programmatically through the Replicated Vendor API, for use in CI/CD pipelines that gate promotion on vulnerabilities. Covers the scan-raw, scan, and sbom SecureBuild endpoints, evaluating results with jq, and an example GitHub Actions gating workflow. All examples use the raw token in the Authorization header (no Bearer prefix), which is what the Vendor API expects. sc-134722
✅ Deploy Preview for replicated-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for replicated-docs-upgrade ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Split long sentences to stay under 26 words, replace passive 'are addressed', avoid the flagged word 'severities', spell out SPDX on first use, and rename the workflow heading to sentence case. sc-134722
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a Retrieve scan results with the Vendor API how-to section to the bottom of the Security Center topic (
docs/vendor/security-center-about.mdx). It documents how to retrieve Grype vulnerability scan results and SBOMs programmatically through the Replicated Vendor API, so vendors can gate CI/CD promotions on vulnerabilities.The section covers:
Authorizationheader format.channelSequence.scan-raw(full Grype output),scan(summarized counts incl.fixed_counts), andsbom(SPDX 2.3).jqfilters and saving a CVE report.Validation
The flow was validated end-to-end against the production Vendor API. Key corrections baked into the doc versus the original draft:
Authorizationheader (noBearerprefix) — aBearerprefix returns401.scan_statusterminal value issucceeded(notcomplete); non-terminal states leaveresultnull.channelSequencecomes from the API promote response (the CLI promote does not print it).jqfilters are null-safe (.result?.matches[]?) so a pending scan doesn't error and silently skip the gate./scan(fixed_counts) and/sbom({sboms:{"image:tag":{sbom:"<SPDX string>"}}}) response shapes.Placed at the bottom of the existing Security Center page for now; it can be split into its own topic as the feature matures.
sc-134722