8000 Add Grype Habitat package scan workflow with build and install modes by sandhi18 · Pull Request #34 · chef/common-github-actions · GitHub
[go: up one dir, main page]
Skip to content

Add Grype Habitat package scan workflow with build and install modes#34

Open
sandhi18 wants to merge 1 commit intomainfrom
sandhi/add-hab-grype
Open

Add Grype Habitat package scan workflow with build and install modes#34
sandhi18 wants to merge 1 commit intomainfrom
sandhi/add-hab-grype

Conversation

@sandhi18
Copy link
Contributor
@sandhi18 sandhi18 commented Mar 12, 2026

Description

This pull request adds support for scanning Habitat packages using Grype as part of the CI workflow. The changes allow for flexible configuration of scan parameters, including package origin, name, version, release, channel, and target platforms. This enables automated vulnerability scanning of Habitat packages either by building from source or downloading from Builder.

New Habitat Grype scan inputs:

  • Added multiple new workflow inputs to .github/workflows/ci-main-pull-request.yml for configuring Habitat package Grype scans, such as perform-grype-hab-scan, grype-hab-build-package, grype-hab-origin, grype-hab-package, grype-hab-version, grype-hab-release, grype-hab-channel, and platform-specific scan options.

Job and workflow integration:

  • Updated job steps to display Grype Habitat scan configuration and parameters during workflow execution, including origin, package, version, release, channel, and platforms.
  • Introduced a new job run-grype-hab-package-scan that runs the Grype scan for Habitat packages, using the new inputs and referencing the shared workflow in chef/common-github-actions.

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianLoomis brianLoomis Awaiting requested review from brianLoomis brianLoomis is a code owner

@sean-sype-simmons sean-sype-simmons Awaiting requested review from sean-sype-simmons sean-sype-simmons is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sandhi18
0