akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
eec8c28fb3c2e8c0bc387bb3139184b8d67f1b21
Charon/docs/plans/archive/supply_chain_fix.md
akanealw eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Details
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Details
Quality Checks / Backend (Go) (push) Has been cancelled
Details
Quality Checks / Frontend (React) (push) Has been cancelled
Details
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Details
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
Details
WAF integration / Coraza WAF Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Details
Repo Health Check / Repo health (push) Has been cancelled
Details
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Details
Prune Renovate Branches / prune (push) Has been cancelled
Details
Renovate / renovate (push) Has been cancelled
Details
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Details
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Details
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Details
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Details
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Details
changed perms
2026-04-22 18:19:14 +00:00

5.1 KiB
Executable File
Raw Blame History

Plan: Fix Supply Chain Vulnerability Reporting

Objective

Fix the supply-chain-pr.yml workflow where PR comments report 0 vulnerabilities despite known CVEs, and ensure the workflow correctly fails on critical vulnerabilities.

Context

The current workflow uses anchore/scan-action to scan for vulnerabilities. However, there are potential issues with:

  1. Output File Handling: The workflow assumes results.json is created, but anchore/scan-action with output-format: json might not produce this file by default without an explicit output-file parameter or capturing output.
  2. Parsing Logic: If the file is missing, the jq parsing gracefully falls back to 0, masking the error.
  3. Failure Condition: The failure step references ${{ steps.grype-scan.outputs.critical_count }}, which likely does not exist on the anchore/scan-action step. It should reference the calculated output from the parsing step.

Research & Diagnosis Steps

1. Debug Output paths

We need to verify if results.json is actually generated.

  • Action: Add a step to list files in the workspace immediately after the scan.
  • Action: Add a debug cat of the results file if it exists, or header of it.

2. Verify anchore/scan-action behavior

The anchore/scan-action (v7.3.2) documentation suggests that output-format is used, but typically it defaults to results.[format]. However, explicit output-file prevents ambiguity.

Implementation Plan

Phase 1: Robust Path & Debugging

  1. Explicit Output File: Modify the anchore/scan-action step to explicitly set output-format: json AND likely we should try to rely on the default behavior but check it. Actually, better practice: The action supports output-format as a list. If we want a file, we usually just look for it. Correction: We will explicitly check for the file and fail if missing, rather than defaulting to 0.
  2. List Files: Add ls -la after scan to see exactly what files are created.

Phase 2: Fix Logic Errors

  1. Update "Fail on critical vulnerabilities" step:
    • Change ${{ steps.grype-scan.outputs.critical_count }} to ${{ steps.vuln-summary.outputs.critical_count }}.
  2. Robust jq parsing:
    • In Process vulnerability results, explicitly check for existence of results.json (or whatever the action outputs).
    • If missing, EXIT 1 instead of setting counts to 0. This forces us to fix the path issue rather than silently passing.
    • Use tee or cat to print the first few lines of the JSON to stdout for debugging logs.

Phase 3: Validation

  1. Run the workflow on a PR (or simulate via push).
  2. Verify the PR comment shows actual numbers.
  3. Verify the workflow fails if critical vulnerabilities are found (or we can lower the threshold to test).

Detailed Changes

supply-chain-pr.yml

      # ... inside steps ...

      - name: Scan for vulnerabilities
        if: steps.set-target.outputs.image_name != ''
        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
        id: grype-scan
        with:
          sbom: sbom.cyclonedx.json
          fail-build: false
          output-format: json
          # We might need explicit output selection implies asking for 'json' creates 'results.json'

      - name: Debug Output Files
        if: steps.set-target.outputs.image_name != ''
        run: |
            echo "📂 Listing workspace files:"
            ls -la

      - name: Process vulnerability results
        if: steps.set-target.outputs.image_name != ''
        id: vuln-summary
        run: |
          # The scan-action output behavior verification
          JSON_RESULT="results.json"
          SARIF_RESULT="results.sarif"

          # [NEW] Check if scan actually produced output
          if [[ ! -f "$JSON_RESULT" ]]; then
             echo "❌ Error: $JSON_RESULT not found!"
             echo "Available files:"
             ls -la
             exit 1
          fi

          mv "$JSON_RESULT" grype-results.json

          # Debug content (head)
          echo "📄 Grype JSON Preview:"
          head -n 20 grype-results.json

          # ... existing renaming for sarif ...

          # ... existing jq logic, but remove 'else' block for missing file since we exit above ...

      # ...

      - name: Fail on critical vulnerabilities
        if: steps.set-target.outputs.image_name != ''
        run: |
          # [FIX] Use the output from the summary step, NOT the scan step
          CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"

          if [[ "${CRITICAL_COUNT}" -gt 0 ]]; then
            echo "🚨 Found ${CRITICAL_COUNT} CRITICAL vulnerabilities!"
            echo "Please review the vulnerability report and address critical issues before merging."
            exit 1
          fi

Acceptance Criteria

  • Workflow "Fail on critical vulnerabilities" uses steps.vuln-summary.outputs.critical_count.
  • Process vulnerability results step fails if the scan output file is missing.
  • Debug logging (ls -la) is present to confirm file placement.
Reference in New Issue View Git Blame Copy Permalink