fix: upgrade supply-chain workflow to use modern grype binary

Replaced anchore/scan-action with manual grype v0.107.1 installation Explicitly output scan results to avoid "file not found" errors Updated parsing logic to read generated grype-results.json directly Ensures latest vulnerability definitions are used for PR checks
2026-02-06 08:42:49 +00:00
parent 28865a5f36
commit 98cf52ff57
4 changed files with 153 additions and 19 deletions
--- a/.github/workflows/supply-chain-pr.yml
+++ b/.github/workflows/supply-chain-pr.yml
@@ -286,15 +286,19 @@ jobs:
          echo "component_count=${COMPONENT_COUNT}" >> "$GITHUB_OUTPUT"
          echo "✅ SBOM generated with ${COMPONENT_COUNT} components"

-      # Scan for vulnerabilities using official Anchore action (auto-updated by Renovate)
+      # Scan for vulnerabilities using manual Grype installation (pinned to v0.107.1)
+      - name: Install Grype
+        if: steps.set-target.outputs.image_name != ''
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.1
+
      - name: Scan for vulnerabilities
        if: steps.set-target.outputs.image_name != ''
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
        id: grype-scan
-        with:
-          sbom: sbom.cyclonedx.json
-          fail-build: false
-          output-format: json
+        run: |
+          echo "🔍 Scanning SBOM for vulnerabilities..."
+          grype sbom:sbom.cyclonedx.json -o json > grype-results.json
+          grype sbom:sbom.cyclonedx.json -o sarif > grype-results.sarif

      - name: Debug Output Files
        if: steps.set-target.outputs.image_name != ''
@@ -306,25 +310,14 @@ jobs:
        if: steps.set-target.outputs.image_name != ''
        id: vuln-summary
        run: |
-          # The scan-action outputs results.json and results.sarif
-          JSON_RESULT="results.json"
-          SARIF_RESULT="results.sarif"
-
          # Verify scan actually produced output
-          if [[ ! -f "$JSON_RESULT" ]]; then
-             echo "❌ Error: $JSON_RESULT not found!"
+          if [[ ! -f "grype-results.json" ]]; then
+             echo "❌ Error: grype-results.json not found!"
             echo "Available files:"
             ls -la
             exit 1
          fi

-          # Rename for consistency with downstream steps
-          mv "$JSON_RESULT" grype-results.json
-
-          if [[ -f "$SARIF_RESULT" ]]; then
-            mv "$SARIF_RESULT" grype-results.sarif
-          fi
-
          # Debug content (head)
          echo "📄 Grype JSON Preview:"
          head -n 20 grype-results.json