Replace scan-snyk with scan-grype and fix workflow permissions (#857)

claude-helper-bot[bot] · claude-helper-bot[bot] · web-flow · commit 8c260fa58de9 · 2026-03-13T21:35:45.000+01:00
Co-authored-by: claude-helper-bot[bot] &lt;3031036+claude-helper-bot[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml
@@ -6,6 +6,10 @@ on:
     branches:
       - "**"
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   gosec:
     uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-lint.yml@5eba4a9063c75ab16cc2c98722ea493f71159331 # 0.53.1
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -7,6 +7,12 @@ on:
         description: "Version"
         required: true
 
+permissions:
+  actions: read
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   release:
     uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-release-goreleaser.yml@5eba4a9063c75ab16cc2c98722ea493f71159331 # 0.53.1
diff --git a/.github/workflows/release-job-image.yml b/.github/workflows/release-job-image.yml
@@ -34,6 +34,11 @@ on:
       ghcr-password:
         required: false
 
+permissions:
+  actions: read
+  contents: read
+  packages: read
+
 jobs:
   release-job-image:
     permissions:
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -4,6 +4,11 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+
 jobs:
   review:
     uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-review.yml@5eba4a9063c75ab16cc2c98722ea493f71159331 # 0.53.1
diff --git a/.github/workflows/scan-grype.yml b/.github/workflows/scan-grype.yml
@@ -0,0 +1,22 @@
+name: scan-grype
+
+on:
+  schedule:
+    - cron: "0 12 * * 1"
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: read
+  security-events: write
+
+jobs:
+  scan-scan:
+    uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-scan.yml@0.55.1
+    with:
+      docker-tag: ghcr.io/ckotzbauer/sbom-operator:latest
+
+  scan-vcn:
+    uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-scan.yml@0.55.1
+    with:
+      docker-tag: ghcr.io/ckotzbauer/sbom-operator/vcn:latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,6 +6,11 @@ on:
     branches:
       - "**"
 
+permissions:
+  actions: read
+  contents: read
+  packages: read
+
 jobs:
   test:
     uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-build-test.yml@5eba4a9063c75ab16cc2c98722ea493f71159331 # 0.53.1
diff --git a/.github/workflows/update-snyk.yml b/.github/workflows/update-snyk.yml
