Grype and Trivy security vulnerability scanning (#348)

* Grype and Trivy security vulnerability scanning

Signed-off-by: Sebastian <[email protected]>

* Add grype security scan in github workflows

Signed-off-by: Sebastian <[email protected]>

* Ensure Grype is installed

Signed-off-by: Sebastian <[email protected]>

* Linting

Signed-off-by: Sebastian <[email protected]>

* Fix Push to GHCR

Signed-off-by: Sebastian <[email protected]>

* Fix key-less Cosign for image

Signed-off-by: Sebastian <[email protected]>

* Add info in SECURITY.md

Signed-off-by: Sebastian <[email protected]>

* Add info in docs

Signed-off-by: Sebastian <[email protected]>

---------

Signed-off-by: Sebastian <[email protected]>
Co-authored-by: Sebastian <[email protected]>

Author: ChrisPC-39

.github/workflows/docker-image.yml

@@ -8,7 +8,7 @@
 #   - Lints the Dockerfile with **Hadolint** (CLI) → SARIF
 #   - Lints the finished image with **Dockle** (CLI) → SARIF
 #   - Generates an SPDX SBOM with **Syft**
-#   - Scans the image for CRITICAL CVEs with **Trivy**
+#   - Scans the image for CRITICAL CVEs with **Trivy/Grype**
 #   - Uploads Hadolint, Dockle and Trivy results as SARIF files
 #   - Pushes the image to **GitHub Container Registry (GHCR)**
 #   - Signs & attests the image with **Cosign (key-less OIDC)**
@@ -142,7 +142,7 @@ jobs:
           output-file: sbom.spdx.json
 
       # -------------------------------------------------------------
-      # 6️⃣  Trivy CVE scan → SARIF
+      # 6️⃣  Trivy, Grype CVE scan → SARIF
       # -------------------------------------------------------------
       - name: 🛡️  Trivy vulnerability scan
         id: trivy
@@ -160,6 +160,21 @@ jobs:
         with:
           sarif_file: trivy-results.sarif
 
+      - name: 📥 Installing Grype CLI
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+      - name: 🔍 Grype vulnerability scan
+        run: |
+          grype ${{ env.IMAGE_NAME }}:latest --scope all-layers --only-fixed
+      - name: 📄 Generating Grype SARIF report
+        run: |
+          grype ${{ env.IMAGE_NAME }}:latest --scope all-layers --output sarif --file grype-results.sarif
+      - name: ☁️  Upload Grype SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: grype-results.sarif
+
       # -------------------------------------------------------------
       # 7️⃣  Push both tags to GHCR
       # -------------------------------------------------------------
@@ -170,7 +185,8 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: 🚀  Push image to GHCR
+      - name: 🚀 Push image to GHCR
+        if: github.ref == 'refs/heads/main'
         run: |
           docker push $IMAGE_NAME:${{ env.TAG }}
           docker push $IMAGE_NAME:latest
@@ -179,9 +195,11 @@ jobs:
       # 8️⃣  Key-less Cosign sign + attest  (latest **and** timestamp)
       # -------------------------------------------------------------
       - name: 📥 Install Cosign
+        if: github.ref == 'refs/heads/main'
         uses: sigstore/cosign-installer@v3 # provides the matching CLI
 
       - name: 🔏 Sign & attest images (latest + timestamp)
+        if: github.ref == 'refs/heads/main'
         env:
           COSIGN_EXPERIMENTAL: "1"
         run: |

Makefile

@@ -509,6 +509,30 @@ check-manifest:						## 📦  Verify MANIFEST.in completeness
 	@echo "📦  Verifying MANIFEST.in completeness..."
 	@$(VENV_DIR)/bin/check-manifest
 
+# -----------------------------------------------------------------------------
+# 📑 GRYPE SECURITY/VULNERABILITY SCANNING
+# -----------------------------------------------------------------------------
+# help: grype-install             - Install Grype
+# help: grype-scan                - Scan all files using grype
+# help: grype-sarif               - Generate SARIF report
+# help: security-scan             - Run Trivy security-scan
+.PHONY: grype-install grype-scan grype-sarif security-scan
+
+grype-install:
+	@echo "📥 Installing Grype CLI..."
+	@curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+grype-scan:
+	@echo "🔍 Grype vulnerability scan..."
+	@grype $(IMG):latest --scope all-layers --only-fixed
+
+grype-sarif:
+	@echo "📄 Generating Grype SARIF report..."
+	@grype $(IMG):latest --scope all-layers --output sarif --file grype-results.sarif
+
+security-scan: trivy grype-scan
+	@echo "✅ Multi-engine security scan complete"
+
 # -----------------------------------------------------------------------------
 # 📑 YAML / JSON / TOML LINTERS
 # -----------------------------------------------------------------------------
@@ -731,12 +755,18 @@ sonar-info:
 # 🛡️  SECURITY & PACKAGE SCANNING
 # =============================================================================
 # help: 🛡️ SECURITY & PACKAGE SCANNING
+# help: trivy-install 		 - Install Trivy
 # help: trivy                - Scan container image for CVEs (HIGH/CRIT). Needs podman socket enabled
-.PHONY: trivy
+.PHONY: trivy-install trivy
+
+trivy-install:
+	@echo "📥 Installing Trivy..."
+	@curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
 trivy:
 	@systemctl --user enable --now podman.socket
 	@echo "🔎  trivy vulnerability scan..."
-	@trivy --format table --severity HIGH,CRITICAL image $(PROJECT_NAME)/$(PROJECT_NAME)
+	@trivy --format table --severity HIGH,CRITICAL image $(IMG)
 
 # help: dockle               - Lint the built container image via tarball (no daemon/socket needed)
 .PHONY: dockle

README.md

@@ -1876,6 +1876,7 @@ pysonar-scanner      - Run scan with Python wrapper (pysonar-scanner)
 sonar-info           - How to create a token & which env vars to export
 🛡️ SECURITY & PACKAGE SCANNING
 trivy                - Scan container image for CVEs (HIGH/CRIT). Needs podman socket enabled
+grype-scan           - Scan container for security audit and vulnerability scanning
 dockle               - Lint the built container image via tarball (no daemon/socket needed)
 hadolint             - Lint Containerfile/Dockerfile(s) with hadolint
 pip-audit            - Audit Python dependencies for published CVEs

SECURITY.md

@@ -75,7 +75,7 @@ Our security pipeline operates at multiple levels:
 
 **Supply Chain Security**: We maintain strict oversight of our software supply chain through automated dependency vulnerability scanning, Software Bill of Materials (SBOM) generation, and license compliance checking to ensure all components meet security standards.
 
-**Container Security Hardening**: Our containerized deployments follow security best practices including multi-stage builds, minimal base images (UBI Micro) with the latest updates, non-root user execution, read-only filesystems, and comprehensive container scanning with tools like Trivy, Dockle, and OSV-Scanner.
+**Container Security Hardening**: Our containerized deployments follow security best practices including multi-stage builds, minimal base images (UBI Micro) with the latest updates, non-root user execution, read-only filesystems, and comprehensive container scanning with tools like Trivy, Grype, Dockle, and OSV-Scanner.
 
 **Runtime Security Monitoring**: Beyond build-time security, we implement runtime monitoring and security policies to detect and respond to potential threats in production environments.
 
@@ -84,8 +84,8 @@ Our security pipeline operates at multiple levels:
 Our security toolchain includes **24+ different security and quality tools**, each serving a specific purpose in our defense strategy and executed on every pull request:
 
 - **Static Analysis Security Testing (SAST)**: CodeQL, Bandit, and multiple type checkers
-- **Dependency Vulnerability Scanning**: OSV-Scanner, Trivy, npm audit, and GitHub dependency review
-- **Container Security**: Hadolint for Dockerfile linting, Dockle for container security, and Trivy for vulnerability scanning
+- **Dependency Vulnerability Scanning**: OSV-Scanner, Trivy, Grype, npm audit, and GitHub dependency review
+- **Container Security**: Hadolint for Dockerfile linting, Dockle for container security, and Trivy/Grype for vulnerability scanning
 - **Code Quality & Complexity**: Multiple linters ensuring code maintainability and reducing attack surface
 - **Documentation Security**: Spellcheck and markdown validation to prevent information disclosure
 
@@ -98,6 +98,7 @@ We believe that security should enhance rather than hinder the development proce
 - `make test` - Full test suite with coverage analysis and security validation
 - `make bandit` - Security scanner for Python code vulnerabilities
 - `make trivy` - Container vulnerability scanning
+- `make grype-scan` - Container security audit and vulnerability scanning
 - `make dockle` - Container security and best practices analysis
 - `make hadolint` - Dockerfile linting for security issues
 - `make osv-scan` - Open Source Vulnerability database scanning
@@ -307,7 +308,8 @@ flowchart TD
     S --> S1[Hadolint - Dockerfile Linting]
     S --> S2[Dockle - Container Security]
     S --> S3[Trivy - Vulnerability Scanner]
-    S --> S4[OSV-Scanner - Open Source Vulns]
+    S --> S4[Grype - Security Audit]
+    S --> S5[OSV-Scanner - Open Source Vulns]
 
     T[Local Development] --> U[Make Targets]
 
@@ -323,9 +325,10 @@ flowchart TD
     W --> W1[make bandit - Security Scanner]
     W --> W2[make osv-scan - Vulnerability Check]
     W --> W3[make trivy - Container Security]
-    W --> W4[make dockle - Image Analysis]
-    W --> W5[make hadolint - Dockerfile Linting]
-    W --> W6[make pip-audit - Dependency Scanning]
+    W --> W4[make grype-scan - Container Vulnerability Scan]
+    W --> W5[make dockle - Image Analysis]
+    W --> W6[make hadolint - Dockerfile Linting]
+    W --> W7[make pip-audit - Dependency Scanning]
 
     X --> X1[CycloneDX SBOM Generation]
     X --> X2[Dependency Inventory]