From 64fab694d4beb8bae945442e50ff9259660758a9 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 25 Feb 2026 18:51:24 +0100 Subject: [PATCH] build(compliance): add vulnerability scanning at release time and vulnerabilities verification Signed-off-by: Victoria --- .../contracts/chainloop-chainloop-github-release.yaml | 3 +++ .github/workflows/release.yaml | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/contracts/chainloop-chainloop-github-release.yaml b/.github/workflows/contracts/chainloop-chainloop-github-release.yaml index 14c326ae7..67c0fb725 100644 --- a/.github/workflows/contracts/chainloop-chainloop-github-release.yaml +++ b/.github/workflows/contracts/chainloop-chainloop-github-release.yaml @@ -14,3 +14,6 @@ spec: - ref: slsa-checks with: runner: GITHUB_ACTION + - ref: vulnerability-management + with: + severity: "HIGH" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6a1447e91..7bffd0f91 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -93,6 +93,9 @@ jobs: # Install Syft wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin + - name: Install Grype + run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/7b7d5be174d392ded78fd45d6cfaff4b7610d23b/install.sh | sh -s -- -b /usr/local/bin + - name: Run GoReleaser id: release uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.2.0 @@ -149,6 +152,10 @@ jobs: # Upload the SBOM to the release gh release upload ${{ github.ref_name }} /tmp/sbom-$material_name.cyclonedx.json --clobber + + # Run Grype vulnerability scan and attest result + grype --only-fixed -o sarif --file ./vuln-${container_name}.json $entry + chainloop attestation add --name ${container_name}-vulnerability-report --value ./vuln-${container_name}.json --attestation-id ${{ env.ATTESTATION_ID }} fi done