From 64fab694d4beb8bae945442e50ff9259660758a9 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 25 Feb 2026 18:51:24 +0100 Subject: [PATCH 1/3] build(compliance): add vulnerability scanning at release time and vulnerabilities verification Signed-off-by: Victoria --- .../contracts/chainloop-chainloop-github-release.yaml | 3 +++ .github/workflows/release.yaml | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/contracts/chainloop-chainloop-github-release.yaml b/.github/workflows/contracts/chainloop-chainloop-github-release.yaml index 14c326ae7..67c0fb725 100644 --- a/.github/workflows/contracts/chainloop-chainloop-github-release.yaml +++ b/.github/workflows/contracts/chainloop-chainloop-github-release.yaml @@ -14,3 +14,6 @@ spec: - ref: slsa-checks with: runner: GITHUB_ACTION + - ref: vulnerability-management + with: + severity: "HIGH" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6a1447e91..7bffd0f91 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -93,6 +93,9 @@ jobs: # Install Syft wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin + - name: Install Grype + run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/7b7d5be174d392ded78fd45d6cfaff4b7610d23b/install.sh | sh -s -- -b /usr/local/bin + - name: Run GoReleaser id: release uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.2.0 @@ -149,6 +152,10 @@ jobs: # Upload the SBOM to the release gh release upload ${{ github.ref_name }} /tmp/sbom-$material_name.cyclonedx.json --clobber + + # Run Grype vulnerability scan and attest result + grype --only-fixed -o sarif --file ./vuln-${container_name}.json $entry + chainloop attestation add --name ${container_name}-vulnerability-report --value ./vuln-${container_name}.json --attestation-id ${{ env.ATTESTATION_ID }} fi done From c97b38a757befdda11317114ca8e2cbe7a89716b Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 4 Mar 2026 10:05:01 +0100 Subject: [PATCH 2/3] Update grype to the latest available version Signed-off-by: Victoria --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7bffd0f91..8851a30b3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -94,7 +94,7 @@ jobs: wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin - name: Install Grype - run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/7b7d5be174d392ded78fd45d6cfaff4b7610d23b/install.sh | sh -s -- -b /usr/local/bin + run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/v0.109.0/install.sh | sh -s -- -b /usr/local/bin v0.109.0 - name: Run GoReleaser id: release From c795e6f3c4bdefda59393cf7e03073fa2253a053 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 4 Mar 2026 10:21:54 +0100 Subject: [PATCH 3/3] Point to a pinned commit hash instead of a mutable tag Signed-off-by: Victoria --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8851a30b3..0676bbc50 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -94,7 +94,7 @@ jobs: wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin - name: Install Grype - run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/v0.109.0/install.sh | sh -s -- -b /usr/local/bin v0.109.0 + run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/fe186c3e986dda3cb4c5e90798f82c52aefcb4b8/install.sh | sh -s -- -b /usr/local/bin - name: Run GoReleaser id: release