diff --git a/.github/skills/security-scan-docker-image-scripts/run.sh b/.github/skills/security-scan-docker-image-scripts/run.sh index 8d868be8..e6661ff9 100755 --- a/.github/skills/security-scan-docker-image-scripts/run.sh +++ b/.github/skills/security-scan-docker-image-scripts/run.sh @@ -35,7 +35,7 @@ fi # Check Grype if ! command -v grype >/dev/null 2>&1; then log_error "Grype not found - install from: https://github.com/anchore/grype" - log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.85.0" + log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.0" error_exit "Grype is required for vulnerability scanning" 2 fi @@ -51,7 +51,7 @@ GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9] # Set defaults matching CI workflow set_default_env "SYFT_VERSION" "v1.17.0" -set_default_env "GRYPE_VERSION" "v0.85.0" +set_default_env "GRYPE_VERSION" "v0.107.0" set_default_env "IMAGE_TAG" "charon:local" set_default_env "FAIL_ON_SEVERITY" "Critical,High" diff --git a/.github/skills/security-scan-docker-image.SKILL.md b/.github/skills/security-scan-docker-image.SKILL.md index ed6d1073..a6cfe1e5 100644 --- a/.github/skills/security-scan-docker-image.SKILL.md +++ b/.github/skills/security-scan-docker-image.SKILL.md @@ -40,7 +40,7 @@ environment_variables: required: false - name: "GRYPE_VERSION" description: "Grype version to use for vulnerability scanning" - default: "v0.85.0" + default: "v0.107.0" required: false - name: "IMAGE_TAG" description: "Docker image tag to build and scan" @@ -145,7 +145,7 @@ brew install syft # macOS ```bash # Linux/macOS -curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.85.0 +curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.0 # Or via package manager brew install grype # macOS @@ -191,7 +191,7 @@ Override default versions or behavior: ```bash # Use specific tool versions -SYFT_VERSION=v1.17.0 GRYPE_VERSION=v0.85.0 \ +SYFT_VERSION=v1.17.0 GRYPE_VERSION=v0.107.0 \ .github/skills/scripts/skill-runner.sh security-scan-docker-image # Change failure threshold @@ -211,7 +211,7 @@ FAIL_ON_SEVERITY="Critical" \ | Variable | Required | Default | Description | |----------|----------|---------|-------------| | SYFT_VERSION | No | v1.17.0 | Syft version (matches CI) | -| GRYPE_VERSION | No | v0.85.0 | Grype version (matches CI) | +| GRYPE_VERSION | No | v0.107.0 | Grype version (matches CI) | | IMAGE_TAG | No | charon:local | Default image tag if not provided | | FAIL_ON_SEVERITY | No | Critical,High | Severities that cause exit code 1 | @@ -239,7 +239,7 @@ FAIL_ON_SEVERITY="Critical" \ [SBOM] Generating SBOM using Syft v1.17.0... [SBOM] Generated SBOM contains 247 packages -[SCAN] Scanning for vulnerabilities using Grype v0.85.0... +[SCAN] Scanning for vulnerabilities using Grype v0.107.0... [SCAN] Vulnerability Summary: 🔴 Critical: 0 🟠 High: 0 @@ -266,7 +266,7 @@ $ .github/skills/scripts/skill-runner.sh security-scan-docker-image [SBOM] Scanning image: charon:local [SBOM] Generated SBOM contains 247 packages -[SCAN] Scanning for vulnerabilities using Grype v0.85.0... +[SCAN] Scanning for vulnerabilities using Grype v0.107.0... [SCAN] Vulnerability Summary: 🔴 Critical: 0 🟠 High: 2 @@ -413,7 +413,7 @@ Solution: Install Syft v1.17.0 using installation instructions above **Grype not installed**: ```bash [ERROR] Grype not found - install from: https://github.com/anchore/grype -Solution: Install Grype v0.85.0 using installation instructions above +Solution: Install Grype v0.107.0 using installation instructions above ``` **Build failure**: @@ -476,7 +476,7 @@ This skill **exactly replicates** the supply-chain-pr.yml workflow: | Build Image | ✅ Docker build | ✅ Docker build | ✅ | | Load Image | ✅ Load from artifact | ✅ Use built image | ✅ | | Syft Version | v1.17.0 | v1.17.0 | ✅ | -| Grype Version | v0.85.0 | v0.85.0 | ✅ | +| Grype Version | v0.107.0 | v0.107.0 | ✅ | | SBOM Format | CycloneDX JSON | CycloneDX JSON | ✅ | | Scan Target | Docker image | Docker image | ✅ | | Severity Counts | Critical/High/Medium/Low | Critical/High/Medium/Low | ✅ | @@ -571,7 +571,7 @@ Verify versions match: ```bash syft version # Should be v1.17.0 -grype version # Should be v0.85.0 +grype version # Should be v0.107.0 ``` Update if needed: @@ -579,7 +579,7 @@ Update if needed: ```bash # Reinstall specific versions curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.17.0 -curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.85.0 +curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.107.0 ``` ## Notes diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index b85d05dd..5d1bc8a2 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -31,7 +31,7 @@ env: DOCKERHUB_REGISTRY: docker.io IMAGE_NAME: wikid82/charon SYFT_VERSION: v1.17.0 - GRYPE_VERSION: v0.85.0 + GRYPE_VERSION: v0.107.0 jobs: build-and-push: diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml index 7cc3d859..77e64de8 100644 --- a/.github/workflows/supply-chain-pr.yml +++ b/.github/workflows/supply-chain-pr.yml @@ -21,7 +21,7 @@ concurrency: env: SYFT_VERSION: v1.17.0 - GRYPE_VERSION: v0.85.0 + GRYPE_VERSION: v0.107.0 permissions: contents: read diff --git a/docs/implementation/DOCKER_IMAGE_SCAN_SKILL_COMPLETE.md b/docs/implementation/DOCKER_IMAGE_SCAN_SKILL_COMPLETE.md index 9d4bfcc6..4625061b 100644 --- a/docs/implementation/DOCKER_IMAGE_SCAN_SKILL_COMPLETE.md +++ b/docs/implementation/DOCKER_IMAGE_SCAN_SKILL_COMPLETE.md @@ -26,7 +26,7 @@ Successfully created a comprehensive Agent Skill that closes a critical security - **Size**: 18KB comprehensive documentation - **Features**: - Complete metadata (name, version, description, author, license) - - Tool requirements (Docker 24.0+, Syft v1.17.0, Grype v0.85.0) + - Tool requirements (Docker 24.0+, Syft v1.17.0, Grype v0.107.0) - Environment variables with CI-aligned defaults - Parameters for image tag and build options - Detailed usage examples and troubleshooting @@ -82,10 +82,10 @@ Application: syft Version: 1.17.0 BuildDate: 2024-11-21T14:39:38Z -# Grype v0.85.0 installed +# Grype v0.107.0 installed $ grype version Application: grype -Version: 0.85.0 +Version: 0.107.0 BuildDate: 2024-11-21T15:21:23Z Syft Version: v1.17.0 ``` @@ -109,8 +109,8 @@ $ .github/skills/scripts/skill-runner.sh security-scan-docker-image test-quick [ENVIRONMENT] Validating prerequisites [INFO] Installed Syft version: 1.17.0 [INFO] Expected Syft version: v1.17.0 -[INFO] Installed Grype version: 0.85.0 -[INFO] Expected Grype version: v0.85.0 +[INFO] Installed Grype version: 0.107.0 +[INFO] Expected Grype version: v0.107.0 [INFO] Image tag: test-quick [INFO] Fail on severity: Critical,High [BUILD] Building Docker image: test-quick @@ -128,7 +128,7 @@ $ .github/skills/scripts/skill-runner.sh security-scan-docker-image test-quick |------|------------|------------|-------| | Build Image | ✅ Docker build | ✅ Docker build | ✅ | | Syft Version | v1.17.0 | v1.17.0 | ✅ | -| Grype Version | v0.85.0 | v0.85.0 | ✅ | +| Grype Version | v0.107.0 | v0.107.0 | ✅ | | SBOM Format | CycloneDX JSON | CycloneDX JSON | ✅ | | Scan Target | Docker image | Docker image | ✅ | | Severity Counts | Critical/High/Medium/Low | Critical/High/Medium/Low | ✅ | @@ -243,7 +243,7 @@ Solution: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install ```bash [ERROR] Grype not found Solution: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ - sh -s -- -b /usr/local/bin v0.85.0 + sh -s -- -b /usr/local/bin v0.107.0 ``` **Version mismatch**: