diff --git a/.github/workflows/conversations.yml b/.github/workflows/conversations.yml index 714af829..ee8b9eae 100644 --- a/.github/workflows/conversations.yml +++ b/.github/workflows/conversations.yml @@ -208,25 +208,36 @@ jobs: - name: Run tests run: uv run pytest -n 2 - security-trivy-critical: + security-grype-critical: permissions: contents: read security-events: write runs-on: ubuntu-latest steps: - - name: Run Trivy analysis for critical vulnerabilities - # We use main branch while we might still iterate on the action - uses: numerique-gouv/action-trivy-cache/security-trivy-critical@main + - name: Checkout repository + uses: actions/checkout@v4 + - name: Run Grype analysis for critical vulnerabilities + uses: anchore/scan-action@v6 + id: scan + with: + path: "." + severity-cutoff: critical + fail-build: true + - name: Upload SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v3 with: - skip-files: src/mail/yarn.lock + sarif_file: ${{ steps.scan.outputs.sarif }} - security-trivy: + security-grype: permissions: contents: read runs-on: ubuntu-latest steps: - - name: Run Trivy analysis for vulnerabilities - # We use main branch while we might still iterate on the action - uses: numerique-gouv/action-trivy-cache/security-trivy@main + - name: Checkout repository + uses: actions/checkout@v4 + - name: Run Grype analysis for vulnerabilities + uses: anchore/scan-action@v6 with: - skip-files: src/mail/yarn.lock + path: "." + fail-build: false diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index d186268a..80a00f61 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -11,7 +11,7 @@ on: pull_request: branches: - 'main' - - 'ci/trivy-fails' + - 'ci/grype-fails' env: DOCKER_USER: 1001:127 @@ -40,11 +40,14 @@ jobs: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - name: Run trivy scan - uses: numerique-gouv/action-trivy-cache@main + name: Build backend image for scanning + run: docker build --target backend-production -f Dockerfile -t conversations-backend:scan . + - + name: Run Grype scan + uses: anchore/scan-action@v6 with: - docker-build-args: '--target backend-production -f Dockerfile' - docker-image-name: 'docker.io/lasuite/conversations-backend:${{ github.sha }}' + image: conversations-backend:scan + fail-build: false - name: Build and push if: always() @@ -80,11 +83,14 @@ jobs: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - name: Run trivy scan - uses: numerique-gouv/action-trivy-cache@main + name: Build frontend image for scanning + run: docker build -f src/frontend/Dockerfile --target frontend-production -t conversations-frontend:scan . + - + name: Run Grype scan + uses: anchore/scan-action@v6 with: - docker-build-args: '-f src/frontend/Dockerfile --target frontend-production' - docker-image-name: 'docker.io/lasuite/conversations-frontend:${{ github.sha }}' + image: conversations-frontend:scan + fail-build: false - name: Build and push if: always() diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000..7950aa53 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,2 @@ +exclude: + - "src/mail/yarn.lock" diff --git a/CHANGELOG.md b/CHANGELOG.md index 62516d6b..be1aefd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ and this project adheres to ## [Unreleased] +### Changed + +- 👷(ci) replace trivy by grype for vulnerability scanning + ### Fixed - 💄(ui) little fix margin top