👷(ci) replace trivy by grype for vulnerability scanning

.github/workflows/conversations.yml

@@ -208,25 +208,36 @@ jobs:
       - name: Run tests
         run: uv run pytest -n 2
 
-  security-trivy-critical:
+  security-grype-critical:
     permissions:
       contents: read
       security-events: write
     runs-on: ubuntu-latest
     steps:
-      - name: Run Trivy analysis for critical vulnerabilities
-        # We use main branch while we might still iterate on the action
-        uses: numerique-gouv/action-trivy-cache/security-trivy-critical@main
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run Grype analysis for critical vulnerabilities
+        uses: anchore/scan-action@v6
+        id: scan
+        with:
+          path: "."
+          severity-cutoff: critical
+          fail-build: true
+      - name: Upload SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          skip-files: src/mail/yarn.lock
+          sarif_file: ${{ steps.scan.outputs.sarif }}
 
-  security-trivy:
+  security-grype:
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - name: Run Trivy analysis for vulnerabilities
-        # We use main branch while we might still iterate on the action
-        uses: numerique-gouv/action-trivy-cache/security-trivy@main
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run Grype analysis for vulnerabilities
+        uses: anchore/scan-action@v6
         with:
-          skip-files: src/mail/yarn.lock
+          path: "."
+          fail-build: false

.github/workflows/docker-hub.yml

@@ -11,7 +11,7 @@ on:
   pull_request:
     branches:
       - 'main'
-      - 'ci/trivy-fails'
+      - 'ci/grype-fails'
 
 env:
   DOCKER_USER: 1001:127
@@ -40,11 +40,14 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USER }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
       -
-        name: Run trivy scan
-        uses: numerique-gouv/action-trivy-cache@main
+        name: Build backend image for scanning
+        run: docker build --target backend-production -f Dockerfile -t conversations-backend:scan .
+      -
+        name: Run Grype scan
+        uses: anchore/scan-action@v6
         with:
-          docker-build-args: '--target backend-production -f Dockerfile'
-          docker-image-name: 'docker.io/lasuite/conversations-backend:${{ github.sha }}'
+          image: conversations-backend:scan
+          fail-build: false
       -
         name: Build and push
         if: always()
@@ -80,11 +83,14 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USER }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
       -
-        name: Run trivy scan
-        uses: numerique-gouv/action-trivy-cache@main
+        name: Build frontend image for scanning
+        run: docker build -f src/frontend/Dockerfile --target frontend-production -t conversations-frontend:scan .
+      -
+        name: Run Grype scan
+        uses: anchore/scan-action@v6
         with:
-          docker-build-args: '-f src/frontend/Dockerfile --target frontend-production'
-          docker-image-name: 'docker.io/lasuite/conversations-frontend:${{ github.sha }}'
+          image: conversations-frontend:scan
+          fail-build: false
       -
         name: Build and push
         if: always()

.grype.yaml

@@ -0,0 +1,2 @@
+exclude:
+  - "src/mail/yarn.lock"

CHANGELOG.md

@@ -8,6 +8,10 @@ and this project adheres to
 
 ## [Unreleased]
 
+### Changed
+
+- 👷(ci) replace trivy by grype for vulnerability scanning
+
 ### Fixed
 
 - 💄(ui) little fix margin top