Skip to content

[Issue 16] Add Grype for vulnerability scanning #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 4, 2024
Merged

[Issue 16] Add Grype for vulnerability scanning #22

merged 1 commit into from
Jun 4, 2024

Conversation

SammySteiner
Copy link
Contributor

Ticket

Changes

  • Added .grype.yml file to root directory
  • Added .grype.yml to the template-only-bin/install-template.sh file to transfer the .grype.yml file to repos created with the template

Context for reviewers

Tested by running grype locally on database image and application image with and without the .grype.yml file to make sure it was loading and formatted correctly.

Testing

Install and run Grype locally with and without the .grype.yml file ignore to confirm it is working as intended.

@SammySteiner SammySteiner changed the title add grype.yml to root, and to install-template.sh [Issue 16] Add Grype for vulnerability scanning Jun 4, 2024
@ellery-nava
Copy link
Contributor

Do we need to update the README with any instructions on installing and running Grype?
Should it be run automatically on PRs? Or are we expecting developers to run manually?

@SammySteiner
Copy link
Contributor Author

Do we need to update the README with any instructions on installing and running Grype?
Should it be run automatically on PRs? Or are we expecting developers to run manually?

I haven't been on a project where developers were running it manually, unless there was a vulnerability identified by the scan. At which point, you can run it locally, but I think most people were relying on the ci pipeline to run when push changes to the PR.

@ellery-nava
Copy link
Contributor

Makes sense - is this adding to the CI workflows part of this ticket? Not familiar with how much comes out of the box usually on Platform projects

@SammySteiner
Copy link
Contributor Author

Makes sense - is this adding to the CI workflows part of this ticket? Not familiar with how much comes out of the box usually on Platform projects

The ticket referenced the template-nextjs repo's implementation, which only contains the bin script update and the .grype.yml file, it's assuming the ci workflow is coming from the infra repo. So I decided to use that implementation as my guide for how far to take it.

ellery-nava
ellery-nava approved these changes Jun 4, 2024
View reviewed changes
Copy link
Contributor

@ellery-nava ellery-nava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the clarification! Approved

@SammySteiner SammySteiner merged commit 0574a54 into main Jun 4, 2024
3 checks passed
@SammySteiner SammySteiner deleted the sammysteiner/16-add-grype branch June 4, 2024 20:38
rocketnova
rocketnova reviewed Jun 5, 2024
View reviewed changes
Copy link
Contributor

@rocketnova rocketnova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rocketnova rocketnova rocketnova left review comments

@ellery-nava ellery-nava ellery-nava approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add grype for container scanning
3 participants
@SammySteiner @ellery-nava @rocketnova