Exclude unfixed vulnerabilities from security workflow results

Switch Trivy scan to Syft and Grype
Disable trivy scan workflow
2026-03-25 16:31:27 +00:00 · 2026-03-25 16:10:01 +00:00 · 2026-03-23 08:02:12 +00:00 · 2026-03-21 07:25:11 +00:00 · 2026-03-21 07:05:33 +00:00 · 2026-01-24 09:24:39 +00:00
5 changed files with 224 additions and 19 deletions
@@ -0,0 +1,188 @@
+name: Security Scan
+
+on:
+  schedule:
+    - cron: 27 8 * * *
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    runs-on: running-man
+
+    env:
+      TARGET_DIR: .
+      COSIGN_VERSION: v3.0.5
+      SYFT_VERSION: v1.42.3
+      GRYPE_VERSION: v0.110.0
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Cosign (bootstrap)
+        run: |
+          set -euo pipefail
+
+          FILE="cosign-linux-amd64"
+
+          curl -fLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}
+
+          chmod +x ${FILE}
+          mv ${FILE} /usr/local/bin/cosign
+
+          cosign version
+
+      - name: Install Syft (verified)
+        run: |
+          set -euo pipefail
+
+          VERSION_NO_V="${SYFT_VERSION#v}"
+          FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz"
+          BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
+
+          curl -fLO ${BASE_URL}/${FILE}
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem
+
+          cosign verify-blob \
+            --signature syft_${VERSION_NO_V}_checksums.txt.sig \
+            --certificate syft_${VERSION_NO_V}_checksums.txt.pem \
+            --certificate-identity-regexp "https://github.com/anchore/syft" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            syft_${VERSION_NO_V}_checksums.txt
+
+          CHECKSUM_LINE=$(grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt)
+          if [ -z "$CHECKSUM_LINE" ]; then
+            echo "Missing checksum entry for ${FILE}"
+            exit 1
+          fi
+
+          echo "$CHECKSUM_LINE" | sha256sum -c -
+
+          tar -xzf ${FILE}
+          mv syft /usr/local/bin/
+
+          syft version
+
+      - name: Install Grype (verified)
+        run: |
+          set -euo pipefail
+
+          VERSION_NO_V="${GRYPE_VERSION#v}"
+          FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz"
+          BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}"
+
+          curl -fLO ${BASE_URL}/${FILE}
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem
+
+          cosign verify-blob \
+            --signature grype_${VERSION_NO_V}_checksums.txt.sig \
+            --certificate grype_${VERSION_NO_V}_checksums.txt.pem \
+            --certificate-identity-regexp "https://github.com/anchore/grype" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            grype_${VERSION_NO_V}_checksums.txt
+
+          CHECKSUM_LINE=$(grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt)
+          if [ -z "$CHECKSUM_LINE" ]; then
+            echo "Missing checksum entry for ${FILE}"
+            exit 1
+          fi
+
+          echo "$CHECKSUM_LINE" | sha256sum -c -
+
+          tar -xzf ${FILE}
+          mv grype /usr/local/bin/
+
+          grype version
+
+      - name: Generate SBOM
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          syft dir:. -o json > sbom.json
+
+      - name: Show SBOM contents
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          echo "Packages discovered by Syft:"
+          jq -r '.artifacts[] | "\(.name)@\(.version) [\(.type)]"' sbom.json | sort
+
+      - name: Run Grype scan (JSON)
+        id: audit
+        continue-on-error: true
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          grype sbom:sbom.json -o json > grype.json
+
+          echo "Vulnerabilities (fixable only):"
+          jq -r '
+            .matches[]
+            | select((.vulnerability.fix.versions | length) > 0)
+            | "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)] | fixed: \(.vulnerability.fix.versions[0])"
+          ' grype.json
+
+          # Fail only on fixable MEDIUM/HIGH/CRITICAL
+          jq -e '
+            [
+              .matches[]?
+              | select(
+                  (
+                    .vulnerability.severity == "Medium" or
+                    .vulnerability.severity == "High" or
+                    .vulnerability.severity == "Critical"
+                  )
+                  and
+                  (
+                    (.vulnerability.fix.versions | length) > 0
+                  )
+                )
+            ]
+            | length == 0
+          ' grype.json
+
+      - name: Show full Grype table
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          echo "Full Grype report:"
+          grype sbom:sbom.json -o table
+
+      - name: Notify Node-RED on vulnerabilities
+        if: steps.audit.outcome == 'failure'
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          jq '
+          {
+            repo: "guardutils/chguard",
+            summary: (
+              "Total: " +
+              (
+                [
+                  .matches[]
+                  | select((.vulnerability.fix.versions | length) > 0)
+                ] | length | tostring
+              )
+            ),
+            vulnerabilities: [
+              .matches[]
+              | select((.vulnerability.fix.versions | length) > 0)
+              | {
+                library: .artifact.name,
+                cve: .vulnerability.id,
+                severity: .vulnerability.severity,
+                installed: .artifact.version,
+                fixed: (.vulnerability.fix.versions[0]),
+                title: .vulnerability.description,
+                url: .vulnerability.dataSource
+              }
+            ]
+          }
+          ' grype.json \
+          | curl -s -X POST https://nodered.sysmd.uk/vulns-alert \
+              -H "Content-Type: application/json" \
+              --data-binary @-
+
+      - name: Fail workflow if vulnerabilities found
+        if: steps.audit.outcome == 'failure'
+        run: exit 1
@@ -1,19 +1,19 @@
 repos:
  - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.9
+    rev: 1.9.4
    hooks:
      - id: bandit
        files: ^src/mirro/
        args: ["-lll", "-iii", "-s", "B110,B112"]

  - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.11.0
+    rev: 26.3.1
    hooks:
      - id: black
        language_version: python3.13

  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
@@ -331,14 +331,31 @@ def main() -> None:
            console.print("No saved states.")
            return

+        table = Table(box=box.SIMPLE, header_style="bold")
+
+        table.add_column("State")
+        table.add_column("Root path")
+        table.add_column("Created")
+
        for name, root, created in rows:
            dt = datetime.fromisoformat(created)
            ts = dt.strftime("%Y-%m-%d %H:%M:%S %z")
-            if name.startswith("auto-"):
-                console.print(f"[cyan]{name}[/cyan]\t{root}\t{ts}")
-            else:
-                console.print(f"{name}\t{root}\t{ts}")
-        return
+
+            state_name = (
+                f"[bright_cyan]{name}[/bright_cyan]"
+                if name.startswith("auto-")
+                else name
+            )
+            root = f"[bright_magenta]{root}[/bright_magenta]"
+            ts = f"[bright_cyan]{created}[/bright_cyan]"
+
+            table.add_row(
+                state_name,
+                root,
+                ts,
+            )
+
+        console.print(table)

    if args.delete:
        if delete_state(conn, args.delete) == 0:
@@ -38,13 +38,13 @@ files = [

 [[package]]
 name = "filelock"
-version = "3.20.1"
+version = "3.20.3"
 description = "A platform independent file lock."
 optional = false
 python-versions = ">=3.10"
 files = [
-    {file = "filelock-3.20.1-py3-none-any.whl", hash = "sha256:15d9e9a67306188a44baa72f569d2bfd803076269365fdea0934385da4dc361a"},
-    {file = "filelock-3.20.1.tar.gz", hash = "sha256:b8360948b351b80f420878d8516519a2204b07aefcdcfd24912a5d33127f188c"},
+    {file = "filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1"},
+    {file = "filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1"},
 ]

 [[package]]
@@ -267,18 +267,18 @@ files = [

 [[package]]
 name = "virtualenv"
-version = "20.35.4"
+version = "20.36.1"
 description = "Virtual Python Environment builder"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "virtualenv-20.35.4-py3-none-any.whl", hash = "sha256:c21c9cede36c9753eeade68ba7d523529f228a403463376cf821eaae2b650f1b"},
-    {file = "virtualenv-20.35.4.tar.gz", hash = "sha256:643d3914d73d3eeb0c552cbb12d7e82adf0e504dbf86a3182f8771a153a1971c"},
+    {file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"},
+    {file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"},
 ]

 [package.dependencies]
 distlib = ">=0.3.7,<1"
-filelock = ">=3.12.2,<4"
+filelock = {version = ">=3.20.1,<4", markers = "python_version >= \"3.10\""}
 platformdirs = ">=3.9.1,<5"
 typing-extensions = {version = ">=4.13.2", markers = "python_version < \"3.11\""}

@@ -289,4 +289,4 @@ test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.10,<4.0"
-content-hash = "4a5c993fcc16fe3739c43eb00bed750ce0803d45e37c7a786aa0b83bb4930267"
+content-hash = "8cfa38f4e2f17dba430ea08f7be3c91890a0c7a4535b69d9565b84d714f589bc"
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "chguard"
-version = "0.3.0"
+version = "0.3.3"
 description = "Safety-first tool to snapshot and restore filesystem ownership and permissions."
 authors = ["Marco D'Aleo <marco@marcodaleo.com>"]
 license = "GPL-3.0-or-later"
@@ -12,8 +12,8 @@ repository = "https://git.sysmd.uk/guardutils/chguard"
 python = ">=3.10,<4.0"
 rich = ">=12"
 argcomplete = ">=2"
-platformdirs = ">=4.5.1"
-filelock = ">=3.20.1"
+platformdirs = ">=4.2.2"
+filelock = ">=3.15.4"

 [tool.poetry.scripts]
 chguard = "chguard.cli:main"
Author	SHA1	Message	Date
mdaleo404	fcef549eba	Exclude unfixed vulnerabilities from security workflow results Security Scan / security-scan (push) Successful in 1m17s Details	2026-03-25 16:31:27 +00:00
mdaleo404	049273a13c	Switch Trivy scan to Syft and Grype	2026-03-25 16:10:01 +00:00
mdaleo404	d00407bb33	Disable trivy scan workflow	2026-03-23 08:02:12 +00:00
mdaleo404	a8dbe675f5	Update pre-commit hooks version Trivy Scan / security-scan (push) Successful in 27s Details	2026-03-21 07:25:11 +00:00
mdaleo404	cc2b1fe791	Ping Trivy docker image to 0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c	2026-03-21 07:05:33 +00:00
mdaleo404	db60b4e42b	Merge pull request 'Fix list view to be a rich table' (#6 ) from fix_list_view into main Trivy Scan / security-scan (push) Successful in 27s Details Reviewed-on: #6	2026-01-24 09:24:39 +00:00
mdaleo404	afc964a076	Fix list view to be a rich table Lint & Security / precommit-and-security (pull_request) Successful in 1m50s Details	2026-01-24 09:21:51 +00:00
mdaleo404	d42f6d5fe1	Merge pull request 'Relax dependencies to match Fedora 42 packages' (#5 ) from fix_filelock_platformdird_deps into main Trivy Scan / security-scan (push) Successful in 28s Details Reviewed-on: #5	2026-01-17 16:44:06 +00:00
mdaleo404	103d6159d1	Relax dependencies to match Fedora 42 packages Lint & Security / precommit-and-security (pull_request) Successful in 1m56s Details	2026-01-17 16:41:08 +00:00
mdaleo404	2ee9588fb9	Update filelock and virtualenv Trivy Scan / security-scan (push) Successful in 26s Details	2026-01-15 17:06:08 +00:00
mdaleo404	a2720e245f	Change trivy.json output path	2026-01-15 16:47:54 +00:00
mdaleo404	8e3404bd51	Rework the trivy scan job	2026-01-15 16:45:21 +00:00
mdaleo404	5ff1e935a3	Fix trivy scan volume path to be explicit	2026-01-15 16:39:40 +00:00
mdaleo404	7fafb1fa8e	Fix trivy scan volume path	2026-01-15 16:36:23 +00:00
mdaleo404	f87eb5f438	Fix trivy scan volume path	2026-01-15 16:22:47 +00:00
mdaleo404	1c3025b2d6	Fix docker command to trivy scan	2026-01-15 16:19:08 +00:00
mdaleo404	4980903572	Fix trivy.json output path	2026-01-15 16:13:48 +00:00
mdaleo404	a7183b3286	Fix trivy.json output path	2026-01-15 16:09:17 +00:00
mdaleo404	984aeccfdd	Fix trivy fs path	2026-01-15 16:05:51 +00:00
mdaleo404	dc6e7840c7	Modify severity level on trivy-scan workflow	2026-01-15 15:48:41 +00:00
mdaleo404	0464982b94	Add trivy-scan workflow	2026-01-15 15:41:29 +00:00