Skip to content

STAC-25076: make Grype scans use VEXHub#18

Merged
LouisLotter merged 1 commit into
mainfrom
STAC-25076-grype-vex
Jun 18, 2026
Merged

STAC-25076: make Grype scans use VEXHub#18
LouisLotter merged 1 commit into
mainfrom
STAC-25076-grype-vex

Conversation

@LouisLotter

@LouisLotter LouisLotter commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • download configured VEX repositories before vulnerability scans
  • collect valid OpenVEX documents from the Trivy VEX cache and fail clearly when none are available
  • skip malformed/non-OpenVEX lookalike files before passing documents to Grype
  • pass the collected OpenVEX documents to Grype via --vex so VEXHub applies consistently across Trivy and Grype
  • update the scan-image README to describe the shared VEX path

Root cause

The reusable scan-image action configured VEXHub only for Trivy. Grype still ran without VEX documents, so VEXed CVEs could remain unmanaged in downstream gates such as docker-images PR #121.

Review feedback addressed

  • Avoid copying VEX repository contents into parent directories, because the current VEXHub manifests already download into the expected Trivy cache layout and copying duplicated the Grype --vex document list.

Validation

  • ruby YAML parse for .github/actions/scan-image/action.yml
  • go test ./... in evaluator with tmp Go caches
  • uvx zizmor --collect=workflows,actions,dependabot .
  • local temp-HOME VEX repo download/document collection smoke with Trivy 0.70.0, finding 861 valid OpenVEX documents and skipping 3 malformed/non-OpenVEX lookalikes
  • git diff --check
  • GitHub Actions: Workflow Security Audit passed
  • GitHub Actions: Action unit tests passed across local-clean/known-vuln and amd64/arm64

Jira: https://stackstate.atlassian.net/browse/STAC-25076

@LouisLotter LouisLotter force-pushed the STAC-25076-grype-vex branch from 06ef873 to 3087279 Compare June 17, 2026 15:07
@LouisLotter LouisLotter marked this pull request as ready for review June 17, 2026 15:21
@LouisLotter LouisLotter requested a review from a team as a code owner June 17, 2026 15:21
rb3ckers
rb3ckers reviewed Jun 17, 2026
View reviewed changes
Comment thread .github/actions/scan-image/action.yml Outdated
@LouisLotter LouisLotter force-pushed the STAC-25076-grype-vex branch from 3087279 to 4256823 Compare June 17, 2026 15:34
@LouisLotter LouisLotter merged commit 66966bd into main Jun 18, 2026
5 checks passed
@LouisLotter LouisLotter deleted the STAC-25076-grype-vex branch June 18, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rb3ckers rb3ckers rb3ckers approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LouisLotter @rb3ckers