guardutils/chguard
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 9 Wiki Activity

Exclude unfixed vulnerabilities from security workflow results
Security Scan / security-scan (push) Successful in 1m17s
Details

Browse Source
This commit is contained in:
Marco D'Aleo
2026-03-25 16:31:27 +00:00
parent 049273a13c
commit fcef549eba
1 changed files with 38 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security-scan.yml
+38 -22
View File
@@ -40,13 +40,11 @@ jobs:
FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz" FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz"
BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}" BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
# Download artifacts
curl -fLO ${BASE_URL}/${FILE} curl -fLO ${BASE_URL}/${FILE}
curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt
curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig
curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem
# Verify checksums file
cosign verify-blob \ cosign verify-blob \
--signature syft_${VERSION_NO_V}_checksums.txt.sig \ --signature syft_${VERSION_NO_V}_checksums.txt.sig \
--certificate syft_${VERSION_NO_V}_checksums.txt.pem \ --certificate syft_${VERSION_NO_V}_checksums.txt.pem \
@@ -54,10 +52,14 @@ jobs:
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
syft_${VERSION_NO_V}_checksums.txt syft_${VERSION_NO_V}_checksums.txt
# Verify binary integrity CHECKSUM_LINE=$(grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt)
grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt | sha256sum -c - if [ -z "$CHECKSUM_LINE" ]; then
echo "Missing checksum entry for ${FILE}"
exit 1
fi
echo "$CHECKSUM_LINE" | sha256sum -c -
# Install
tar -xzf ${FILE} tar -xzf ${FILE}
mv syft /usr/local/bin/ mv syft /usr/local/bin/
@@ -71,13 +73,11 @@ jobs:
FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz" FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz"
BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}" BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}"
# Download artifacts
curl -fLO ${BASE_URL}/${FILE} curl -fLO ${BASE_URL}/${FILE}
curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt
curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig
curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem
# Verify checksums file
cosign verify-blob \ cosign verify-blob \
--signature grype_${VERSION_NO_V}_checksums.txt.sig \ --signature grype_${VERSION_NO_V}_checksums.txt.sig \
--certificate grype_${VERSION_NO_V}_checksums.txt.pem \ --certificate grype_${VERSION_NO_V}_checksums.txt.pem \
@@ -85,10 +85,14 @@ jobs:
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
grype_${VERSION_NO_V}_checksums.txt grype_${VERSION_NO_V}_checksums.txt
# Verify binary integrity CHECKSUM_LINE=$(grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt)
grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt | sha256sum -c - if [ -z "$CHECKSUM_LINE" ]; then
echo "Missing checksum entry for ${FILE}"
exit 1
fi
echo "$CHECKSUM_LINE" | sha256sum -c -
# Install
tar -xzf ${FILE} tar -xzf ${FILE}
mv grype /usr/local/bin/ mv grype /usr/local/bin/
@@ -112,20 +116,27 @@ jobs:
run: | run: |
grype sbom:sbom.json -o json > grype.json grype sbom:sbom.json -o json > grype.json
echo "Vulnerabilities found:" echo "Vulnerabilities (fixable only):"
jq -r ' jq -r '
.matches[] .matches[]
| "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)]" | select((.vulnerability.fix.versions | length) > 0)
' grype.json || true | "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)] | fixed: \(.vulnerability.fix.versions[0])"
' grype.json
# Fail on MEDIUM/HIGH/CRITICAL # Fail only on fixable MEDIUM/HIGH/CRITICAL
jq -e ' jq -e '
[ [
.matches[]? .matches[]?
| select( | select(
(.vulnerability.severity == "Medium") or (
(.vulnerability.severity == "High") or .vulnerability.severity == "Medium" or
(.vulnerability.severity == "Critical") .vulnerability.severity == "High" or
.vulnerability.severity == "Critical"
)
and
(
(.vulnerability.fix.versions | length) > 0
)
) )
] ]
| length == 0 | length == 0
@@ -146,17 +157,22 @@ jobs:
repo: "guardutils/chguard", repo: "guardutils/chguard",
summary: ( summary: (
"Total: " + "Total: " +
((.matches | length) | tostring) (
[
.matches[]
| select((.vulnerability.fix.versions | length) > 0)
] | length | tostring
)
), ),
vulnerabilities: [ vulnerabilities: [
.matches[] | { .matches[]
| select((.vulnerability.fix.versions | length) > 0)
| {
library: .artifact.name, library: .artifact.name,
cve: .vulnerability.id, cve: .vulnerability.id,
severity: .vulnerability.severity, severity: .vulnerability.severity,
installed: .artifact.version, installed: .artifact.version,
fixed: ( fixed: (.vulnerability.fix.versions[0]),
.vulnerability.fix.versions[0] // "none"
),
title: .vulnerability.description, title: .vulnerability.description,
url: .vulnerability.dataSource url: .vulnerability.dataSource
} }