Fixes in grype

Signed-off-by: sandhi <sagarwal@progress.com>

Author: sandhi18

.github/workflows/ci-main-pull-request.yml

@@ -41,6 +41,16 @@ name: CI flow containing PR checks for main & release, v2
 on:
   workflow_call:
     inputs:
+      github-token:
+        description: 'GitHub token for private repo access (pass secrets.GH_TOKEN or secrets.GITHUB_TOKEN, auto-detected if not provided)'
+        required: false
+        type: string
+        default: ''
+      github-event-name:
+        description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)'
+        required: false
+        type: string
+        default: ''
       application:
         # NEW IN 1.0.7 
         description: 'Application set in repository custom properties, typically primaryApplication'
@@ -146,6 +156,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-image-skip-aws:
+        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
+        required: false
+        type: boolean
+        default: false
       build:
         description: 'CI Build (language-specific)'
         required: false
@@ -474,6 +489,7 @@ on:
       #   type: string
 
 env:
+  GITHUB_TOKEN_TO_USE: ${{ inputs.github-token != '' && inputs.github-token || secrets.GH_TOKEN != '' && secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
   PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default'   # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
   REPO_VISIBILITY: ${{ github.event.repository.visibility }}
   REPO_NAME: ${{ github.event.repository.name }}
@@ -509,7 +525,7 @@ jobs:
           echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
         continue-on-error: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN_TO_USE }} 
 
       - name: generate-filename-slug
         # description: Generate a simple slug based on repo and date for use in any output artifacts
@@ -713,7 +729,7 @@ jobs:
         if: inputs.language == 'go'
         env:
           GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
       - name: Go linting and security checks  
         if: inputs.language == 'go'
         run: echo "Running Go linting and security checks"
@@ -884,12 +900,13 @@ jobs:
   run-grype-image:
     name: 'Grype Docker image scan'
     if: ${{ inputs.perform-grype-image-scan }}
-    uses: chef/common-github-actions/.github/workflows/grype.yml@main
+    uses: chef/common-github-actions/.github/workflows/grype.yml@sandhi/fixes-for-chef-org
     needs: checkout
     secrets: inherit
     with:
       fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
       fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
+      grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
 
     # run-srcclr:
     #   if: ${{ inputs.perform-srcclr-scan == true }}
@@ -922,7 +939,7 @@ jobs:
         if: inputs.language == 'go'
         env:
           GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
       - name: 'Go build'
         if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
         continue-on-error: true
@@ -1194,7 +1211,7 @@ jobs:
           fetch-depth: 0
 
       - name: Configure git for private
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install build tools for Erlang
         if: inputs.language == 'erlang'
@@ -1271,7 +1288,7 @@ jobs:
           polaris_application_name: "${{ inputs.polaris-application-name }}"  
           # project name schema: <Solution>-<Product>-<Module If Applicable>-<Optional Numeric Suffix If Needed>
           polaris_project_name: ${{ inputs.polaris-project-name }}  # typically GitHub repo name 
-          polaris_assessment_types: "SAST" # or "CI" or "SOURCE_UPLOAD", a license type
+          polaris_assessment_types: ${{ inputs.github-event-name == 'pull_request' && 'CI' || 'SAST' }} # CI mode for PRs (incremental), SAST for full scans
           # new in 1.0.7, OPTIONAL FIELDS
           project_directory: ${{ inputs.polaris-working-directory }}
           detect_config_path: ${{ inputs.polaris-config-path != '' && inputs.polaris-config-path || null}}
@@ -1281,7 +1298,7 @@ jobs:
           coverity_args: ${{ inputs.polaris-coverity-args != '' && inputs.polaris-coverity-args || null }}
           detect_search_depth: ${{ inputs.polaris-detect-search-depth != '' && inputs.polaris-detect-search-depth || null }}
           detect_args: ${{ inputs.polaris-detect-args != '' && inputs.polaris-detect-args || null }}
-          polaris_assessment_mode: ${{ inputs.polaris-assessment-mode }}
+          polaris_assessment_types: "SAST" # or "CI" or "SOURCE_UPLOAD", a license type
           # TODO: warning in GA - polaris_assessment_mode is deprecated. Use polaris_test_sast_location=remote and/or polaris_test_sca_location=remote for source upload scans instead.
           polaris_waitForScan: 'true' #  ${{ inputs.polaris-wait-for-scan }} # defaults to true - is this a boolean or string?
           # not yet enabled from https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md 
@@ -1291,7 +1308,9 @@ jobs:
           # include_diagnostics: ${{ inputs.polaris-diagnostic }}
           # mark_build_status: ${{ inputs.polaris-mark-build-status != '' && inputs.polaris-mark-build-status || null }}
           # pr-comment-severities: "CRITICAL,HIGH"
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          polaris_prComment_enabled: ${{ inputs.github-event-name == 'pull_request' && 'true' || 'false' }}
+          # polaris_prComment_severities: "CRITICAL,HIGH"
+          github_token: ${{ env.GITHUB_TOKEN_TO_USE }}
 
           # options from Jan's (FlowMon. GitLab)
           #   polaris_prComment_enabled: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}

.github/workflows/grype.yml

@@ -17,6 +17,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-image-skip-aws:
+        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   grype-scan:
@@ -42,6 +47,7 @@ jobs:
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ !inputs.grype-image-skip-aws }}
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -50,6 +56,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
+        if: ${{ !inputs.grype-image-skip-aws }}
         uses: aws-actions/amazon-ecr-login@v2
 
       - name: Scan with Grype
@@ -133,9 +140,9 @@ jobs:
           fi
           
           # Extract vulnerability counts by severity from multiple JSON documents
-          # Use jq -s to slurp all JSON objects and combine matches
-          CRITICAL_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "Critical")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
-          HIGH_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "High")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
+          # Use jq -s to slurp, deduplicate by CVE+package+version, then count
+          CRITICAL_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "Critical")] | unique_by(.vulnerability.id + .artifact.name + .artifact.version) | length' "$JSON_FILE" 2>/dev/null || echo "0")
+          HIGH_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "High")] | unique_by(.vulnerability.id + .artifact.name + .artifact.version) | length' "$JSON_FILE" 2>/dev/null || echo "0")
           
           echo ""
           echo "============================================"