grype changes

Signed-off-by: Vipin Yadav <vipin.yadav@progress.com>

Author: vipin230

.github/workflows/build-docker-image.yml

@@ -65,13 +65,14 @@ jobs:
             export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}"
             make compose-build
 
-            echo "Detecting built images..."
-            docker compose images
-
-            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "^${REPO_NAME}" | grep -v "^<none>")
+            echo "Detecting built images from compose config..."
+            # Only get images from services that have a build section (not pulled images like postgres, grafana, etc.)
+            IMAGES=$(docker compose config --format json 2>/dev/null | jq -r '.services[] | select(.build) | .image // empty' | sort -u | while read img; do
+              if echo "$img" | grep -q ':'; then echo "$img"; else echo "${img}:latest"; fi
+            done)
 
             if [ -z "$IMAGES" ]; then
-              echo "No images found with prefix ${REPO_NAME}, scanning all recent images"
+              echo "⚠️ Could not detect built images from compose config, falling back to docker images"
               IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -5)
             fi
           # Strategy 3: Fallback to standard docker build

.github/workflows/ci-main-pull-request.yml

@@ -999,17 +999,19 @@ jobs:
   run-grype-image:
     name: 'Grype Docker image scan'
     if: ${{ inputs.perform-grype-image-scan }}
-    uses: chef/common-github-actions/.github/workflows/grype.yml@main
-    needs: checkout
+    uses: chef/common-github-actions/.github/workflows/grype.yml@grype-wiz
+    needs: [checkout, build-docker-image]
     secrets: inherit
     with:
       fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
       fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
       grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
+      prebuilt-image-artifact: docker-image-for-scans
+      prebuilt-image-names: ${{ needs.build-docker-image.outputs.image-names }}
 
   build-docker-image:
     name: 'Build Docker image for security scans'
-    if: ${{ inputs.perform-wiz-scan == true }}
+    if: ${{ inputs.perform-grype-image-scan == true || inputs.perform-wiz-scan == true }}
     uses: chef/common-github-actions/.github/workflows/build-docker-image.yml@grype-wiz
     needs: checkout
     secrets: inherit

.github/workflows/grype.yml

@@ -22,6 +22,16 @@ on:
         required: false
         type: boolean
         default: false
+      prebuilt-image-artifact:
+        description: 'Name of uploaded artifact containing a Docker image tar (skip Docker build if provided)'
+        required: false
+        type: string
+        default: ''
+      prebuilt-image-names:
+        description: 'Space-separated list of Docker image:tag names inside the prebuilt artifact tar'
+        required: false
+        type: string
+        default: ''
 
 jobs:
   grype-scan:
@@ -65,13 +75,29 @@ jobs:
         if: ${{ !inputs.grype-image-skip-aws }}
         uses: aws-actions/amazon-ecr-login@v2
 
-      - name: Scan with Grype
-        id: grype-scan
+      - name: Download prebuilt Docker image
+        if: ${{ inputs.prebuilt-image-artifact != '' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.prebuilt-image-artifact }}
+          path: /tmp
+
+      - name: Load prebuilt Docker image
+        id: load-image
+        if: ${{ inputs.prebuilt-image-artifact != '' }}
+        run: |
+          echo "Loading prebuilt images from artifact..."
+          docker load -i /tmp/docker-image.tar
+          echo "IMAGES=${{ inputs.prebuilt-image-names }}" >> "$GITHUB_OUTPUT"
+          echo "Loaded images: ${{ inputs.prebuilt-image-names }}"
+          docker images
+
+      - name: Build Docker image
+        id: build-image
+        if: ${{ inputs.prebuilt-image-artifact == '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         run: |
-          SCAN_NAME="${{ github.repository }}"
-          
           if [ ! -f "Dockerfile" ]; then
             echo "❌ No Dockerfile found - this workflow requires a Dockerfile to scan Docker image"
             exit 1
@@ -100,13 +126,14 @@ jobs:
             export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}"
             make compose-build
             
-            echo "Detecting built images..."
-            docker compose images
-            
-            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "^${REPO_NAME}" | grep -v "^<none>")
+            echo "Detecting built images from compose config..."
+            # Only get images from services that have a build section (not pulled images like postgres, grafana, etc.)
+            IMAGES=$(docker compose config --format json 2>/dev/null | jq -r '.services[] | select(.build) | .image // empty' | sort -u | while read img; do
+              if echo "$img" | grep -q ':'; then echo "$img"; else echo "${img}:latest"; fi
+            done)
             
             if [ -z "$IMAGES" ]; then
-              echo "No images found with prefix ${REPO_NAME}, scanning all recent images"
+              echo "⚠️ Could not detect built images from compose config, falling back to docker images"
               IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -5)
             fi
           # Strategy 3: Fallback to standard docker build
@@ -121,6 +148,28 @@ jobs:
             exit 1
           fi
           
+          echo "IMAGES=$(echo $IMAGES | tr '\n' ' ')" >> "$GITHUB_OUTPUT"
+          echo "Found images: $IMAGES"
+
+      - name: Determine scan targets
+        id: scan-target
+        run: |
+          IMAGES="${{ steps.load-image.outputs.IMAGES || steps.build-image.outputs.IMAGES }}"
+          if [ -z "$IMAGES" ]; then
+            echo "❌ No images available to scan"
+            exit 1
+          fi
+          echo "IMAGES=$IMAGES" >> "$GITHUB_OUTPUT"
+          echo "Scan targets: $IMAGES"
+
+      - name: Scan with Grype
+        id: grype-scan
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          SCAN_NAME="${{ github.repository }}"
+          IMAGES="${{ steps.scan-target.outputs.IMAGES }}"
+          
           echo "Found images to scan:"
           echo "$IMAGES"
           

.github/workflows/wiz.yml

@@ -115,13 +115,14 @@ jobs:
             export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}"
             make compose-build
 
-            echo "Detecting built images..."
-            docker compose images
-
-            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "^${REPO_NAME}" | grep -v "^<none>")
+            echo "Detecting built images from compose config..."
+            # Only get images from services that have a build section (not pulled images like postgres, grafana, etc.)
+            IMAGES=$(docker compose config --format json 2>/dev/null | jq -r '.services[] | select(.build) | .image // empty' | sort -u | while read img; do
+              if echo "$img" | grep -q ':'; then echo "$img"; else echo "${img}:latest"; fi
+            done)
 
             if [ -z "$IMAGES" ]; then
-              echo "No images found with prefix ${REPO_NAME}, scanning all recent images"
+              echo "⚠️ Could not detect built images from compose config, falling back to docker images"
               IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -5)
             fi
           # Strategy 3: Fallback to standard docker build