fix: upgrade supply-chain workflow to use modern grype binary

Replaced anchore/scan-action with manual grype v0.107.1 installation Explicitly output scan results to avoid "file not found" errors Updated parsing logic to read generated grype-results.json directly Ensures latest vulnerability definitions are used for PR checks
2026-02-06 08:42:49 +00:00
parent 28865a5f36
commit 98cf52ff57
4 changed files with 153 additions and 19 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+### Security
+- **Supply Chain**: Enhanced PR verification workflow stability and accuracy
+  - **Vulnerability Reporting**: Eliminated false negatives ("0 vulnerabilities") by enforcing strict failure conditions
+  - **Tooling**: Switched to manual Grype installation ensuring usage of latest stable binary
+  - **Observability**: Improved debugging visibility for vulnerability scans and SARIF generation
+
 ### Performance
 - **E2E Tests**: Reduced feature flag API calls by 90% through conditional polling optimization (Phase 2)
  - Conditional skip: Exits immediately if flags already in expected state (~50% of cases)