Merge pull request #290 from nodevault/copilot/add-vulnerability-scanner

aviadhahami · web-flow · commit e2b962524d31 · 2026-03-21T15:16:17.000+02:00
Add Grype vulnerability scanner workflow
diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml
@@ -0,0 +1,34 @@
+name: Vulnerability Scan
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  grype-vulnerability-scan:
+    name: Grype Vulnerability Scan 🔍
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Scan for vulnerabilities
+        uses: anchore/scan-action@v7
+        id: scan
+        with:
+          path: "."
+          fail-build: true
+          severity-cutoff: high
+          output-format: sarif
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
