Skip to content

Commit e870a14

Browse files
committed
Add Grype scan for hab
Signed-off-by: sandhi <sagarwal@progress.com>
1 parent 4520363 commit e870a14

File tree

2 files changed

+483
-0
lines changed

2 files changed

+483
-0
lines changed

.github/workflows/ci-main-pull-request.yml

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,46 @@ on:
161161
required: false
162162
type: boolean
163163
default: false
164+
perform-grype-hab-scan:
165+
description: 'Perform Grype scan on published Habitat packages from bldr.habitat.sh'
166+
required: false
167+
type: boolean
168+
default: false
169+
grype-hab-package:
170+
description: 'Habitat package to scan (e.g., chef-platform/node-management-agent)'
171+
required: false
172+
type: string
173+
default: ''
174+
grype-hab-version:
175+
description: 'Habitat package version (optional - scans latest from channel if not specified)'
176+
required: false
177+
type: string
178+
default: ''
179+
grype-hab-release:
180+
description: 'Habitat package release (optional - scans latest from channel if not specified)'
181+
required: false
182+
type: string
183+
default: ''
184+
grype-hab-channel:
185+
description: 'Habitat package channel (e.g., stable, base, unstable, base-2025, lts-2024)'
186+
required: false
187+
type: string
188+
default: 'stable'
189+
grype-hab-scan-linux:
190+
description: 'Scan Linux (x86_64-linux) Habitat package'
191+
required: false
192+
type: boolean
193+
default: true
194+
grype-hab-scan-windows:
195+
description: 'Scan Windows (x86_64-windows) Habitat package'
196+
required: false
197+
type: boolean
198+
default: false
199+
grype-hab-scan-macos:
200+
description: 'Scan MacOS (x86_64-darwin) Habitat package'
201+
required: false
202+
type: boolean
203+
default: false
164204
build:
165205
description: 'CI Build (language-specific)'
166206
required: false
@@ -566,6 +606,13 @@ jobs:
566606
echo " trivy"
567607
fi
568608
609+
if [ ${{ inputs.perform-grype-hab-scan }} ]; then
610+
echo "** GRYPE HABITAT PACKAGE SCAN **********************************************************"
611+
echo " Scanning Habitat package: ${{ inputs.grype-hab-package }}"
612+
echo " Version: ${{ inputs.grype-hab-version }} Release: ${{ inputs.grype-hab-release }} Channel: ${{ inputs.grype-hab-channel }}"
613+
echo " Platforms: Linux=${{ inputs.grype-hab-scan-linux }} Windows=${{ inputs.grype-hab-scan-windows }} MacOS=${{ inputs.grype-hab-scan-macos }}"
614+
fi
615+
569616
if [ ${{ inputs.build }} ]; then
570617
echo "** BUILD AND UNIT TEST *************************************************************"
571618
echo " Repository build profile $GA_BUILD_PROFILE [${{ inputs.build-profile }}]"
@@ -909,6 +956,23 @@ jobs:
909956
fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
910957
fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
911958
grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
959+
960+
run-grype-hab-package-scan:
961+
name: 'Grype scan Habitat packages from bldr.habitat.sh'
962+
if: ${{ inputs.perform-grype-hab-scan == true }}
963+
uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@sandhi/add-hab-grype
964+
needs: checkout
965+
secrets: inherit
966+
with:
967+
hab_package: ${{ inputs.grype-hab-package }}
968+
hab_version: ${{ inputs.grype-hab-version }}
969+
hab_release: ${{ inputs.grype-hab-release }}
970+
hab_channel: ${{ inputs.grype-hab-channel }}
971+
scan-linux: ${{ inputs.grype-hab-scan-linux }}
972+
scan-windows: ${{ inputs.grype-hab-scan-windows }}
973+
scan-macos: ${{ inputs.grype-hab-scan-macos }}
974+
fail-grype-on-high: ${{ inputs.grype-fail-on-high }}
975+
fail-grype-on-critical: ${{ inputs.grype-fail-on-critical }}
912976

913977
# run-srcclr:
914978
# if: ${{ inputs.perform-srcclr-scan == true }}

0 commit comments

Comments
 (0)