build(compliance): add vulnerability scanning at release time and vulnerabilities verification

[kaysavps]

• Run Grype on each release container image inside the existing "Generate SBOMs, upload to release and attest" step.
• Attest SARIF results as {image}-{arch}-vulnerability-report to the release attestation.
• Add vulnerability-management policy group (severity HIGH) to the release contract so scan results are evaluated at release time.

VEX is not used; the existing .vex files are empty and support can be added later if we add exception statements.

Please note that the github action itself have not been tested.

refs #2785

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yaml">

<violation number="1" location=".github/workflows/release.yaml:158">
P1: Missing `--kind SARIF` on `chainloop attestation add` for the vulnerability report. Every other attestation-add in this workflow specifies `--kind`, and since Grype outputs SARIF format, the kind should be explicitly set to ensure proper material categorization and policy evaluation.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Missing --kind SARIF on chainloop attestation add for the vulnerability report. Every other attestation-add in this workflow specifies --kind, and since Grype outputs SARIF format, the kind should be explicitly set to ensure proper material categorization and policy evaluation.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 158:

<comment>Missing `--kind SARIF` on `chainloop attestation add` for the vulnerability report. Every other attestation-add in this workflow specifies `--kind`, and since Grype outputs SARIF format, the kind should be explicitly set to ensure proper material categorization and policy evaluation.</comment>

<file context>
@@ -149,6 +152,10 @@ jobs:
+
+              # Run Grype vulnerability scan and attest result
+              grype --only-fixed -o sarif --file ./vuln-${container_name}.json $entry
+              chainloop attestation add --name ${container_name}-vulnerability-report --value ./vuln-${container_name}.json --attestation-id ${{ env.ATTESTATION_ID }}
             fi
           done
</file context>

Suggested change

	chainloop attestation add --name ${container_name}-vulnerability-report --value ./vuln-${container_name}.json --attestation-id ${{ env.ATTESTATION_ID }}
	chainloop attestation add --name ${container_name}-vulnerability-report --value ./vuln-${container_name}.json --kind SARIF --attestation-id ${{ env.ATTESTATION_ID }}

[kaysavps]

kind is not mandatory in this case.