From 8faa77307485b87c8c3af9db8f46bb33bc95837c Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Fri, 20 Mar 2026 11:22:22 +0200 Subject: [PATCH] chore: migrate from Trivy to Grype for vulnerability scanning Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2. Rename trivy.yml to security-scan.yml. Drop secret scanning. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/security-scan.yml | 21 +++++++++++++++++++++ .github/workflows/trivy.yml | 19 ------------------- 2 files changed, 21 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/security-scan.yml delete mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..51eec59 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,21 @@ +name: Security Scan + +on: + pull_request: + +jobs: + grype-security-scan: + runs-on: ubuntu-latest + name: Grype + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Security Scan + id: grype-scan + uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 + with: + path: "." + fail-build: true + only-fixed: true + severity-cutoff: "high" + output-format: "table" diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml deleted file mode 100644 index 65cd388..0000000 --- a/.github/workflows/trivy.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Trivy Scan - -on: - pull_request: - -jobs: - trivy-code-security-scan: - runs-on: ubuntu-latest - name: Trivy - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Security Scan - uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0 - with: - scan-type: 'fs' - scanners: vuln,secret - exit-code: 1 - ignore-unfixed: true \ No newline at end of file