diff --git a/.github/skills/security-scan-docker-image-scripts/run.sh b/.github/skills/security-scan-docker-image-scripts/run.sh index c77204dd..241764f0 100755 --- a/.github/skills/security-scan-docker-image-scripts/run.sh +++ b/.github/skills/security-scan-docker-image-scripts/run.sh @@ -139,7 +139,10 @@ log_info "This may take 30-60 seconds on first run (database download)" # Run Grype against the SBOM (generated from image, not filesystem) # This matches exactly what CI does in supply-chain-pr.yml +# --config ensures .grype.yaml ignore rules are applied, separating +# ignored matches from actionable ones in the JSON output if grype sbom:sbom.cyclonedx.json \ + --config .grype.yaml \ --output json \ --file grype-results.json; then log_success "Vulnerability scan complete" @@ -149,6 +152,7 @@ fi # Generate SARIF output for GitHub Security (matches CI) grype sbom:sbom.cyclonedx.json \ + --config .grype.yaml \ --output sarif \ --file grype-results.sarif 2>/dev/null || true diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml index cdb3ea9b..efa049fc 100644 --- a/.github/workflows/supply-chain-pr.yml +++ b/.github/workflows/supply-chain-pr.yml @@ -281,7 +281,7 @@ jobs: echo "component_count=${COMPONENT_COUNT}" >> "$GITHUB_OUTPUT" echo "✅ SBOM generated with ${COMPONENT_COUNT} components" - # Scan for vulnerabilities using manual Grype installation (pinned to v0.107.1) + # Scan for vulnerabilities using manual Grype installation (pinned to v0.110.0) - name: Install Grype if: steps.set-target.outputs.image_name != '' run: | @@ -292,8 +292,8 @@ jobs: id: grype-scan run: | echo "🔍 Scanning SBOM for vulnerabilities..." - grype sbom:sbom.cyclonedx.json -o json > grype-results.json - grype sbom:sbom.cyclonedx.json -o sarif > grype-results.sarif + grype sbom:sbom.cyclonedx.json --config .grype.yaml -o json > grype-results.json + grype sbom:sbom.cyclonedx.json --config .grype.yaml -o sarif > grype-results.sarif - name: Debug Output Files if: steps.set-target.outputs.image_name != ''