Skip to content

ci(sbom): gate grype scans on fixable vulnerabilities only#291

Merged
Charles Chiu (charliie-dev) merged 1 commit into
devfrom
feature/grype-only-fixed
Jul 16, 2026
Merged

ci(sbom): gate grype scans on fixable vulnerabilities only#291
Charles Chiu (charliie-dev) merged 1 commit into
devfrom
feature/grype-only-fixed

Conversation

@charliie-dev

Copy link
Copy Markdown
Contributor

Closes #290

問題

sbom-image.yml / sbom-source.yml 的 Grype gate(severity-cutoff: high + 預設 fail-build: true)只要掃到任一 high+ CVE 就讓 release job 失敗。但 debian-based base image 長期帶著一批 upstream 尚無修復(not-fixed / wont-fix)的 high+ CVE,對我們不可行動 → 此 gate 對任何 debian-based 鏡像基本上永遠過不了。

同時 Trivy 是 report-only(只上傳 SARIF、不設 exit code),Grype 卻是硬 gate,兩者政策不一致。

變更

Grype 掃描全面加上 only-fixed,只對「有 upstream 修復版本」的漏洞設 gate:

  • .github/workflows/sbom-image.yml — image 端 2 個 Grype 步驟(SARIF gate + JSON asset)
  • .github/workflows/sbom-source.yml — source 端 2 個 Grype 步驟
  • .mise/tasks/sbom/grype — 本機任務 --only-fixed,與 CI 對齊

不可修復的 CVE 完整清單仍由 Trivy SARIF 上傳至 Security tab,可見性不受影響。

影響範圍

meta 為共用 workflow,此政策一致套用到所有使用它的 repo(go-service / go-lib / image / frontend facade)。第一個受益者為 nics-dp/patroni#65。

Add only-fixed to the image and source Grype scans and the local sbom:grype
task. Base-image CVEs marked not-fixed/wont-fix are unactionable and would
otherwise block every release; the full unfixed set stays visible via the
Trivy SARIF upload.

Aligns Grype (the hard gate) with Trivy's report-only behaviour.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

此 PR 將 Grype gate 限縮為僅攔截已有修復版本的高風險漏洞,避免不可修復 CVE 阻擋 release。

Changes:

  • image 與 source workflow 啟用 only-fixed
  • 本機 Grype 任務同步 CI 政策
  • 保留 Trivy SARIF 的完整漏洞可見性

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/sbom-image.yml image 掃描僅回報可修復漏洞
.github/workflows/sbom-source.yml source 掃描僅回報可修復漏洞
.mise/tasks/sbom/grype 本機掃描加入 --only-fixed

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@charliie-dev
Charles Chiu (charliie-dev) merged commit 25cede7 into dev Jul 16, 2026
10 checks passed
@charliie-dev
Charles Chiu (charliie-dev) deleted the feature/grype-only-fixed branch July 16, 2026 19:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(sbom): grype gate 只對可修復漏洞設限 (only-fixed)

2 participants