|
161 | 161 | required: false |
162 | 162 | type: boolean |
163 | 163 | default: false |
| 164 | + perform-grype-hab-scan: |
| 165 | + description: 'Perform Grype scan on published Habitat packages from bldr.habitat.sh' |
| 166 | + required: false |
| 167 | + type: boolean |
| 168 | + default: false |
| 169 | + grype-hab-build-package: |
| 170 | + description: 'Build Habitat package from source before scanning (requires checkout)' |
| 171 | + required: false |
| 172 | + type: boolean |
| 173 | + default: false |
| 174 | + grype-hab-origin: |
| 175 | + description: 'Habitat origin (e.g., chef-platform)' |
| 176 | + required: false |
| 177 | + type: string |
| 178 | + default: '' |
| 179 | + grype-hab-package: |
| 180 | + description: 'Habitat package name (e.g., node-management-agent)' |
| 181 | + required: false |
| 182 | + type: string |
| 183 | + default: '' |
| 184 | + grype-hab-version: |
| 185 | + description: 'Habitat package version (optional - scans latest from channel if not specified)' |
| 186 | + required: false |
| 187 | + type: string |
| 188 | + default: '' |
| 189 | + grype-hab-release: |
| 190 | + description: 'Habitat package release (optional - scans latest from channel if not specified)' |
| 191 | + required: false |
| 192 | + type: string |
| 193 | + default: '' |
| 194 | + grype-hab-channel: |
| 195 | + description: 'Habitat package channel (e.g., stable, base, unstable, base-2025, lts-2024)' |
| 196 | + required: false |
| 197 | + type: string |
| 198 | + default: 'stable' |
| 199 | + grype-hab-scan-linux: |
| 200 | + description: 'Scan Linux (x86_64-linux) Habitat package' |
| 201 | + required: false |
| 202 | + type: boolean |
| 203 | + default: true |
| 204 | + grype-hab-scan-windows: |
| 205 | + description: 'Scan Windows (x86_64-windows) Habitat package' |
| 206 | + required: false |
| 207 | + type: boolean |
| 208 | + default: false |
| 209 | + grype-hab-scan-macos: |
| 210 | + description: 'Scan MacOS (x86_64-darwin) Habitat package' |
| 211 | + required: false |
| 212 | + type: boolean |
| 213 | + default: false |
164 | 214 | build: |
165 | 215 | description: 'CI Build (language-specific)' |
166 | 216 | required: false |
@@ -566,6 +616,17 @@ jobs: |
566 | 616 | echo " trivy" |
567 | 617 | fi |
568 | 618 |
|
| 619 | + if [ ${{ inputs.perform-grype-hab-scan }} ]; then |
| 620 | + echo "** GRYPE HABITAT PACKAGE SCAN **********************************************************" |
| 621 | + echo " Mode: ${{ inputs.grype-hab-build-package == true && 'Build from source' || 'Download from Builder' }}" |
| 622 | + if [ ${{ inputs.grype-hab-build-package }} ]; then |
| 623 | + echo " Origin: ${{ inputs.grype-hab-origin }}" |
| 624 | + fi |
| 625 | + echo " Scanning Habitat package: ${{ inputs.grype-hab-origin }}/${{ inputs.grype-hab-package }}" |
| 626 | + echo " Version: ${{ inputs.grype-hab-version }} Release: ${{ inputs.grype-hab-release }} Channel: ${{ inputs.grype-hab-channel }}" |
| 627 | + echo " Platforms: Linux=${{ inputs.grype-hab-scan-linux }} Windows=${{ inputs.grype-hab-scan-windows }} MacOS=${{ inputs.grype-hab-scan-macos }}" |
| 628 | + fi |
| 629 | +
|
569 | 630 | if [ ${{ inputs.build }} ]; then |
570 | 631 | echo "** BUILD AND UNIT TEST *************************************************************" |
571 | 632 | echo " Repository build profile $GA_BUILD_PROFILE [${{ inputs.build-profile }}]" |
@@ -909,6 +970,25 @@ jobs: |
909 | 970 | fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }} |
910 | 971 | fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }} |
911 | 972 | grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }} |
| 973 | + |
| 974 | + run-grype-hab-package-scan: |
| 975 | + name: 'Grype scan Habitat packages from bldr.habitat.sh' |
| 976 | + if: ${{ inputs.perform-grype-hab-scan == true }} |
| 977 | + uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@main |
| 978 | + needs: checkout |
| 979 | + secrets: inherit |
| 980 | + with: |
| 981 | + build_package: ${{ inputs.grype-hab-build-package }} |
| 982 | + hab_origin: ${{ inputs.grype-hab-origin }} |
| 983 | + hab_package: ${{ inputs.grype-hab-package }} |
| 984 | + hab_version: ${{ inputs.grype-hab-version }} |
| 985 | + hab_release: ${{ inputs.grype-hab-release }} |
| 986 | + hab_channel: ${{ inputs.grype-hab-channel }} |
| 987 | + scan-linux: ${{ inputs.grype-hab-scan-linux }} |
| 988 | + scan-windows: ${{ inputs.grype-hab-scan-windows }} |
| 989 | + scan-macos: ${{ inputs.grype-hab-scan-macos }} |
| 990 | + fail-grype-on-high: ${{ inputs.grype-fail-on-high }} |
| 991 | + fail-grype-on-critical: ${{ inputs.grype-fail-on-critical }} |
912 | 992 |
|
913 | 993 | # run-srcclr: |
914 | 994 | # if: ${{ inputs.perform-srcclr-scan == true }} |
|
0 commit comments