ci: add Grype CVE scanning workflow, clean up vulnerable deps#1605
Open
coopernetes wants to merge 1 commit into
Open
ci: add Grype CVE scanning workflow, clean up vulnerable deps#1605coopernetes wants to merge 1 commit into
coopernetes wants to merge 1 commit into
Conversation
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1605 +/- ##
==========================================
+ Coverage 85.38% 85.51% +0.12%
==========================================
Files 83 83
Lines 7878 7878
Branches 1312 1312
==========================================
+ Hits 6727 6737 +10
+ Misses 1123 1114 -9
+ Partials 28 27 -1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
coopernetes
force-pushed
the
chore/cve-ci
branch
9 times, most recently
from
089b270 to
b4018f5
Compare
coopernetes
changed the title
jescalada
approved these changes
Jun 21, 2026
jescalada
left a comment
jescalada
left a comment
Contributor
There was a problem hiding this comment.
LGTM - just wondering if this also covers the Docker image and website dependencies. I prefer Grype over Dependabot since we can see vulnerabilities introduced in our PRs, whereas Dependabot would detect them after the fact.
Also, it would be nice to have it scan the Docker image, since Node has its own dependencies that aren't listed in our package.json.
Contributor
|
Another question: What's the recommended process for fixing up vulnerabilities detected by Grype? Suppose a contributor sees their CI fail due to Grype - should they be running Perhaps we should add documentation for the audit/fix process so we don't discourage new contributions 🤔 |
Contributor
Author
|
Thanks for the review @jescalada and good questions. I'll address the comments above here then respond on that thread about the other dependency scans we might want to add.
We can absolutely use Grype for both the image scanning (I believe this was the primary use for grype, scanning container images similar to trivy). We just need to add another grype job on the image itself. Note that it does require the image to be pushed to a registry if we wish to keep it as its own GHA workflow/job. Alternatively, we can add grype scan as a post-build step. Note, we currently only build the Docker image on the main branch and from tag/release. As its currently designed, we don't perform a docker build as part of a PR. Something to consider is adding
It's a bit of a case-by-case basis. Maybe a good candidate to add in custom commands/SKILLS (described in #1410) to make repeatable analysis of "dependency is vulnerable, check for a fixed-version, update a dependency manifest file". Remediating a Docker vulnerability is quite different from npm (and in the Docker case, it's multi-dimensional - git-proxy's own dependencies vulnerable? what about a transitive vulnerability from a base image?). |
coopernetes
force-pushed
the
chore/cve-ci
branch
from
b4018f5 to
f326891
Compare
Adds a Grype CVE scanning workflow that runs on push, PR, and weekly schedule. Scans package-lock.json (not the working directory) to avoid false positives from CI runner tooling. Uploads SARIF to the Security tab and a table report as an artifact. Fails on high severity with a fix available. Dependency bumps (all same-major, no breaking changes): - concurrently 9.2.1 → 9.2.3 (shell-quote critical: GHSA-w7jw-789q-3m8p) - vitest 3.2.4 → 3.2.6 (critical: arbitrary file read) - @vitest/coverage-v8 3.2.4 → 3.2.6 (depends on vitest) - vite 7.3.1 → 7.3.5 (high: GHSA-fx2h-pf6j-xcff) - cypress 15.9.0 → 15.17.0 (tmp, qs, uuid transitives) - react-router-dom 6.30.3 → 6.30.4 (moderate: GHSA-2j2x-hqr9-3h42) Overrides for transitive deps whose parents haven't released fixes: - form-data 4.0.5 → 4.0.6 (high: GHSA-hmw2-7cc7-3qxx) - tmp 0.2.5 → 0.2.6 (high: path traversal) Reduces total vulnerabilities from 19 to 7 (0 critical, 0 high).
coopernetes
force-pushed
the
chore/cve-ci
branch
from
f326891 to
4aecfc1
Compare
Contributor
Author
|
After resolving the main application dependencies, it's safe to close out the OpenSSF code scanning alert (security/code-scanning/64) since it's using osv under the hood and I don't believe scorecard is validating the versions properly compared to the full Grype scan against all the dependencies in main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds CVE scanning via Grype and fixes all high/critical vulnerabilities in the main project's dependencies.
Note that the OpenSSF scorecard is flagging a number of existing vulnerabilities. Also, for some reason (oversight?), Dependabot alerts are disabled.
Dependency review remains and will catch any new dependencies being added. The CVE scan workflow is more complete and also adds a scheduled scan every Monday morning for ongoing hygiene. Not a required check for PRs so should be fine to introduce — audit the findings then action them accordingly.
Alternatively, this PR can be closed and Dependabot alerts can just be enabled since the version bumping is already handled by Dependabot anyways. This will require intervention from FINOS and agreement on if Dependabot is the tool of choice for generating alerts.
Findings available here: https://github.com/finos/git-proxy/security/code-scanning?query=is%3Aopen+pr%3A1605
The new workflow will also output the results (has to scan twice unfortunately) to a table format for quick review in the workflow logs.
CVE scanning workflow
--only-fixed(only reports CVEs that have a fix available)--fail-on high)./experimental/**excluded —li-cliandlicense-inventoryhave their own dependency trees with unrelated vulnerabilities. The exclude can be removed once those packages are updated.Dependency bumps
All same-major, no breaking changes (🤞):
concurrentlyshell-quoteGHSA-w7jw-789q-3m8pvitest@vitest/coverage-v8vitecypresstmp,qs,uuidtransitivesreact-router-domnpm overrides
For transitive deps whose direct parents are already at latest and haven't released fixes:
form-datatmpform-datais pinned to^4.0.5in cypress's own resolutions.tmpis a direct dependency of cypress at~0.2.4. Both overrides can be removed when cypress releases a version that bumps these.Result
Total vulnerabilities: 19 → 7 (0 critical, 0 high). The remaining 7 are moderate/low in
nyc(requires major 17→18),@babel/core(low), andbrace-expansion(moderate viac8).