ci(sbom): gate grype scans on fixable vulnerabilities only#291
Merged
Conversation
Add only-fixed to the image and source Grype scans and the local sbom:grype task. Base-image CVEs marked not-fixed/wont-fix are unactionable and would otherwise block every release; the full unfixed set stays visible via the Trivy SARIF upload. Aligns Grype (the hard gate) with Trivy's report-only behaviour.
Contributor
There was a problem hiding this comment.
Pull request overview
此 PR 將 Grype gate 限縮為僅攔截已有修復版本的高風險漏洞,避免不可修復 CVE 阻擋 release。
Changes:
- image 與 source workflow 啟用
only-fixed - 本機 Grype 任務同步 CI 政策
- 保留 Trivy SARIF 的完整漏洞可見性
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/sbom-image.yml |
image 掃描僅回報可修復漏洞 |
.github/workflows/sbom-source.yml |
source 掃描僅回報可修復漏洞 |
.mise/tasks/sbom/grype |
本機掃描加入 --only-fixed |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #290
問題
sbom-image.yml/sbom-source.yml的 Grype gate(severity-cutoff: high+ 預設fail-build: true)只要掃到任一 high+ CVE 就讓 release job 失敗。但 debian-based base image 長期帶著一批 upstream 尚無修復(not-fixed / wont-fix)的 high+ CVE,對我們不可行動 → 此 gate 對任何 debian-based 鏡像基本上永遠過不了。同時 Trivy 是 report-only(只上傳 SARIF、不設 exit code),Grype 卻是硬 gate,兩者政策不一致。
變更
Grype 掃描全面加上
only-fixed,只對「有 upstream 修復版本」的漏洞設 gate:.github/workflows/sbom-image.yml— image 端 2 個 Grype 步驟(SARIF gate + JSON asset).github/workflows/sbom-source.yml— source 端 2 個 Grype 步驟.mise/tasks/sbom/grype— 本機任務--only-fixed,與 CI 對齊不可修復的 CVE 完整清單仍由 Trivy SARIF 上傳至 Security tab,可見性不受影響。
影響範圍
meta 為共用 workflow,此政策一致套用到所有使用它的 repo(go-service / go-lib / image / frontend facade)。第一個受益者為 nics-dp/patroni#65。