refactor(security): migrate from Docker Scout to Grype for container scanning

- Replace Docker Scout with Grype (Anchore) for vulnerability scanning
- Remove Trivy filesystem scanning target (unused)
- Add check-grype make target for tool availability checking
- Update build-containers.sh with Grype-based scan_image_vulnerabilities()
- Update build-container-oracle.sh run_security_scan() function
- Update make-containers-dev-local.sh security scanning
- Update CLAUDE.md documentation references

Consolidates on Anchore toolchain: Syft for SBOM, Grype for CVE scanning.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

CLAUDE.md

@@ -78,14 +78,15 @@ The major version remains at 0 during initial development. Version updates are f
 - Stop observability: `make observability-stop` (stops monitoring services), `make obs-stop` (alias)
 - Clean observability: `make observability-clean` (removes monitoring data), `make obs-clean` (alias)
 
-### Container Management (Docker Scout Integration)
+### Container Management (Grype Integration)
 
 - Build individual containers (faster for iterative development):
   - `make build-container-db` (PostgreSQL container only)
   - `make build-container-redis` (Redis container only)
   - `make build-container-tmi` (TMI server container only)
 - Build all containers: `make build-containers` (builds db, redis, tmi serially)
-- Security scan: `make scan-containers` (scans containers for vulnerabilities using Docker Scout)
+- Check scanner: `make check-grype` (verify Grype vulnerability scanner is installed)
+- Security scan: `make scan-containers` (scans containers for vulnerabilities using Grype)
 - Security report: `make report-containers` (generates comprehensive security report)
 - Container development: `make containers-dev` (builds and starts containers, no server)
 - Full container workflow: `make containers-all` (builds containers and generates reports)

Makefile

@@ -945,34 +945,23 @@ analyze-cats-results: parse-cats-results query-cats-results  ## Parse and query
 # CONTAINER SECURITY AND BUILD MANAGEMENT
 # ============================================================================
 
-.PHONY: build-containers build-container-db build-container-redis build-container-tmi build-container-oracle build-container-oracle-push build-container-redis-oracle build-container-redis-oracle-push build-containers-oracle build-containers-oracle-push scan-containers scan-trivy report-containers update-docker-scout
-
-# Update Docker Scout CLI
-update-docker-scout:
-	$(call log_info,Updating Docker Scout CLI...)
-	@curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
-	@sh install-scout.sh
-	@rm -f install-scout.sh
-	$(call log_success,Docker Scout CLI updated successfully)
+.PHONY: build-containers build-container-db build-container-redis build-container-tmi build-container-oracle build-container-oracle-push build-container-redis-oracle build-container-redis-oracle-push build-containers-oracle build-containers-oracle-push scan-containers report-containers
 
 # Build PostgreSQL container only
-build-container-db:
+build-container-db: check-grype
 	$(call log_info,Building PostgreSQL container...)
-	@$(MAKE) -f $(MAKEFILE_LIST) update-docker-scout
 	@./scripts/build-containers.sh postgresql
 	$(call log_success,PostgreSQL container built successfully)
 
 # Build Redis container only
-build-container-redis:
+build-container-redis: check-grype
 	$(call log_info,Building Redis container...)
-	@$(MAKE) -f $(MAKEFILE_LIST) update-docker-scout
 	@./scripts/build-containers.sh redis
 	$(call log_success,Redis container built successfully)
 
 # Build TMI server container only
-build-container-tmi:
+build-container-tmi: check-grype
 	$(call log_info,Building TMI server container...)
-	@$(MAKE) -f $(MAKEFILE_LIST) update-docker-scout
 	@./scripts/build-containers.sh application
 	$(call log_success,TMI server container built successfully)
 
@@ -1023,46 +1012,32 @@ build-containers: build-container-db build-container-redis build-container-tmi
 	$(call log_success,All containers built successfully)
 
 # Run security scan on existing containers
-scan-containers:
+scan-containers: check-grype
 	$(call log_info,Running security scans on container images...)
-	@$(MAKE) -f $(MAKEFILE_LIST) update-docker-scout
-	@if ! command -v docker scout >/dev/null 2>&1; then \
-		$(call log_error,Docker Scout not available after update. Installation may have failed); \
-		exit 1; \
-	fi
 	@mkdir -p security-reports
 	@echo "Scanning cgr.dev/chainguard/postgres:latest..."
-	@docker scout cves cgr.dev/chainguard/postgres:latest --only-severity critical,high > security-reports/postgresql-scan.txt 2>&1 || true
+	@grype cgr.dev/chainguard/postgres:latest -o sarif > security-reports/postgresql-scan.sarif 2>/dev/null || true
+	@grype cgr.dev/chainguard/postgres:latest -o table > security-reports/postgresql-scan.txt 2>&1 || true
 	@echo "Scanning tmi/tmi-redis:latest..."
-	@docker scout cves tmi/tmi-redis:latest --only-severity critical,high > security-reports/redis-scan.txt 2>&1 || true
+	@grype tmi/tmi-redis:latest -o sarif > security-reports/redis-scan.sarif 2>/dev/null || true
+	@grype tmi/tmi-redis:latest -o table > security-reports/redis-scan.txt 2>&1 || true
 	@if [ -f "Dockerfile.dev" ]; then \
 		echo "Building and scanning application image..."; \
 		docker build -f Dockerfile.dev -t tmi-temp-scan:latest . >/dev/null 2>&1 || true; \
-		docker scout cves tmi-temp-scan:latest --only-severity critical,high > security-reports/application-scan.txt 2>&1 || true; \
+		grype tmi-temp-scan:latest -o sarif > security-reports/application-scan.sarif 2>/dev/null || true; \
+		grype tmi-temp-scan:latest -o table > security-reports/application-scan.txt 2>&1 || true; \
 		docker rmi tmi-temp-scan:latest >/dev/null 2>&1 || true; \
 	fi
 	$(call log_success,Security scans completed. Reports in security-reports/)
 
-# Run Trivy filesystem security scan
-scan-trivy:
-	$(call log_info,Running Trivy filesystem security scan...)
-	@if ! command -v trivy >/dev/null 2>&1; then \
-		$(call log_error,Trivy not found. Please install it first.); \
-		$(call log_info,See: https://aquasecurity.github.io/trivy/); \
-		$(call log_info,On MacOS with Homebrew: brew install trivy); \
-		exit 1; \
-	fi
-	@trivy fs --ignorefile ./.trivyignore.yaml .
-	$(call log_success,Trivy filesystem scan completed)
-
 # Generate comprehensive security report
 report-containers: scan-containers
 	$(call log_info,Generating container security report...)
 	@mkdir -p security-reports
 	@echo "# TMI Container Security Report" > security-reports/security-summary.md
 	@echo "" >> security-reports/security-summary.md
 	@echo "**Generated:** $$(date)" >> security-reports/security-summary.md
-	@echo "**Scanner:** Docker Scout" >> security-reports/security-summary.md
+	@echo "**Scanner:** Grype (Anchore)" >> security-reports/security-summary.md
 	@echo "" >> security-reports/security-summary.md
 	@echo "## Vulnerability Summary" >> security-reports/security-summary.md
 	@echo "" >> security-reports/security-summary.md
@@ -1375,7 +1350,7 @@ clean-wstest:
 # SBOM GENERATION - Software Bill of Materials
 # ============================================================================
 
-.PHONY: check-cyclonedx check-syft generate-sbom generate-sbom-all build-with-sbom build-server-sbom
+.PHONY: check-cyclonedx check-syft check-grype generate-sbom generate-sbom-all build-with-sbom build-server-sbom
 
 # Check for cyclonedx-gomod (Go components)
 check-cyclonedx:
@@ -1401,6 +1376,18 @@ check-syft:
 	fi
 	@$(call log_success,Syft is available)
 
+# Check for Grype (container vulnerability scanning)
+check-grype:
+	@if ! command -v grype >/dev/null 2>&1; then \
+		$(call log_error,Grype not found); \
+		echo ""; \
+		$(call log_info,Install using:); \
+		echo "  Homebrew: brew install grype"; \
+		echo "  Script:   curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"; \
+		exit 1; \
+	fi
+	@$(call log_success,Grype is available)
+
 # Generate SBOM for Go application only
 generate-sbom: check-cyclonedx
 	$(call log_info,Generating SBOM for Go application...)
@@ -1618,8 +1605,8 @@ help:
 	@echo "  reset-db-oci           - Drop all tables in OCI ADB (destructive)"
 	@echo "  clean-dev              - Clean development environment"
 	@echo ""
-	@echo "Container Management (Docker Scout Integration):"
-	@echo "  update-docker-scout          - Update Docker Scout CLI to latest version"
+	@echo "Container Management (Grype Integration):"
+	@echo "  check-grype                  - Verify Grype vulnerability scanner is installed"
 	@echo "  build-container-db           - Build PostgreSQL container only"
 	@echo "  build-container-redis        - Build Redis container only"
 	@echo "  build-container-tmi          - Build TMI server container only"
@@ -1631,7 +1618,6 @@ help:
 	@echo "  build-containers-oracle-push - Build and push all Oracle containers"
 	@echo "  build-containers             - Build all containers (db, redis, tmi serially)"
 	@echo "  scan-containers              - Scan existing containers for vulnerabilities"
-	@echo "  scan-trivy                   - Run Trivy filesystem security scan"
 	@echo "  report-containers            - Generate comprehensive security report"
 	@echo "  start-containers-environment - Start development with containers"
 	@echo "  build-containers-all         - Run full container build and report"

scripts/build-container-oracle.sh

@@ -368,26 +368,24 @@ run_security_scan() {
 
     log_info "Running security scan on ${component} container image..."
 
-    # Check for Docker Scout
-    if docker scout version &> /dev/null 2>&1; then
-        log_info "Using Docker Scout for security scanning..."
+    # Check for Grype
+    if command -v grype &> /dev/null; then
+        log_info "Using Grype for security scanning..."
 
         # Create reports directory
         local reports_dir="${PROJECT_ROOT}/security-reports/oracle-container"
         mkdir -p "$reports_dir"
 
-        # Run CVE scan
-        docker scout cves "${image_name}:${TAG}" \
-            --format sarif \
-            --output "${reports_dir}/${component}-cve-report.sarif.json" 2>/dev/null || true
+        # Run CVE scan with SARIF output
+        grype "${image_name}:${TAG}" -o sarif > "${reports_dir}/${component}-cve-report.sarif.json" 2>/dev/null || true
 
-        # Show summary
-        docker scout cves "${image_name}:${TAG}" --format summary 2>/dev/null || true
+        # Show summary table
+        grype "${image_name}:${TAG}" -o table 2>/dev/null || true
 
         log_success "Security scan complete. Report: ${reports_dir}/${component}-cve-report.sarif.json"
     else
-        log_warn "Docker Scout not available. Skipping security scan."
-        log_info "Install Docker Scout: curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh"
+        log_warn "Grype not available. Skipping security scan."
+        log_info "Install Grype: brew install grype"
     fi
 
     # Generate SBOM if syft is available

scripts/build-containers.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-# Container Build Script with Docker Scout Security Scanning and Patching
-# This script builds container images with automated vulnerability patching
+# Container Build Script with Grype Security Scanning
+# This script builds container images with automated vulnerability scanning using Grype (Anchore)
 
 set -e           # Exit immediately if a command exits with a non-zero status
 set -o pipefail  # Exit if any command in a pipeline fails
@@ -48,17 +48,19 @@ log_error() {
     echo -e "${RED}[ERROR]${NC} $1"
 }
 
-# Function to check if Docker Scout is available
-check_docker_scout() {
-    if ! docker scout version >/dev/null 2>&1; then
-        log_error "Docker Scout is not available. Please install Docker Scout CLI."
-        log_info "Installation: https://docs.docker.com/scout/install/"
-        exit 1
+# Function to check if Grype is available
+check_grype() {
+    if ! command -v grype >/dev/null 2>&1; then
+        log_warning "Grype is not available. Vulnerability scanning will be skipped."
+        log_info "Install: brew install grype"
+        log_info "Or: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
+        return 1
     fi
-    log_success "Docker Scout is available"
+    log_success "Grype is available"
+    return 0
 }
 
-# Function to scan image for vulnerabilities
+# Function to scan image for vulnerabilities using Grype
 scan_image_vulnerabilities() {
     local image_name="$1"
     local report_file="$2"
@@ -68,19 +70,21 @@ scan_image_vulnerabilities() {
     # Create security reports directory
     mkdir -p "${SECURITY_SCAN_OUTPUT_DIR}"
 
-    # Scan for critical and high vulnerabilities
-    docker scout cves "${image_name}" \
-        --only-severity critical,high \
-        --format sarif \
-        --output "${report_file}.sarif" || true
+    # Check if Grype is available
+    if ! command -v grype >/dev/null 2>&1; then
+        log_warning "Grype not available, skipping vulnerability scan"
+        return 0
+    fi
+
+    # Generate SARIF report
+    grype "${image_name}" -o sarif > "${report_file}.sarif" 2>/dev/null || true
 
-    # Get human-readable summary
-    docker scout cves "${image_name}" \
-        --only-severity critical,high > "${report_file}.txt" || true
+    # Generate human-readable table report
+    grype "${image_name}" -o table > "${report_file}.txt" 2>/dev/null || true
 
-    # Count vulnerabilities
-    local critical_count=$(docker scout cves "${image_name}" --only-severity critical --format sarif 2>/dev/null | jq -r '.runs[0].results | length' 2>/dev/null || echo "0")
-    local high_count=$(docker scout cves "${image_name}" --only-severity high --format sarif 2>/dev/null | jq -r '.runs[0].results | length' 2>/dev/null || echo "0")
+    # Count vulnerabilities using JSON output
+    local critical_count=$(grype "${image_name}" -o json 2>/dev/null | jq '[.matches[] | select(.vulnerability.severity == "Critical")] | length' 2>/dev/null || echo "0")
+    local high_count=$(grype "${image_name}" -o json 2>/dev/null | jq '[.matches[] | select(.vulnerability.severity == "High")] | length' 2>/dev/null || echo "0")
 
     # Default to 0 if jq fails
     critical_count=${critical_count:-0}
@@ -262,7 +266,7 @@ generate_security_summary() {
 
 **Scan Date:** ${BUILD_DATE}
 **Git Commit:** ${GIT_COMMIT}
-**Scanner:** Docker Scout
+**Scanner:** Grype (Anchore)
 
 ## Images Scanned
 
@@ -363,7 +367,7 @@ main() {
     echo ""
 
     # Pre-checks
-    check_docker_scout
+    check_grype
 
     # Clean up old images first
     cleanup_old_images
@@ -400,22 +404,22 @@ main() {
 # Handle script arguments
 case "${1:-all}" in
     postgresql|pg)
-        check_docker_scout
+        check_grype
         build_postgresql_secure
         ;;
     redis)
-        check_docker_scout
+        check_grype
         build_redis_secure
         ;;
     application|app)
-        check_docker_scout
+        check_grype
         build_application_secure
         ;;
     all)
         main
         ;;
     scan-only)
-        check_docker_scout
+        check_grype
         generate_security_summary
         ;;
     *)

scripts/make-containers-dev-local.sh

@@ -61,13 +61,14 @@ fi
 
 log_success "Docker found. Proceeding with setup."
 
-# Check if Docker Scout is available
+# Check if Grype is available for security scanning
 if [ "$SECURITY_SCAN_ENABLED" = true ]; then
-    if ! docker scout version >/dev/null 2>&1; then
-        log_warning "Docker Scout is not available. Security scanning will be disabled."
+    if ! command -v grype >/dev/null 2>&1; then
+        log_warning "Grype is not available. Security scanning will be disabled."
+        log_info "Install: brew install grype"
         SECURITY_SCAN_ENABLED=false
     else
-        log_success "Docker Scout is available for security scanning"
+        log_success "Grype is available for security scanning"
         mkdir -p "$SECURITY_REPORTS_DIR"
     fi
 fi
@@ -92,15 +93,15 @@ fi
 # --- Security Scanning (if enabled) ---
 if [ "$SECURITY_SCAN_ENABLED" = true ]; then
     log_info "Performing security scans on images..."
-    
+
     # Scan PostgreSQL image
     log_info "Scanning PostgreSQL image for vulnerabilities..."
-    docker scout cves "$PG_IMAGE" --only-severity critical,high > "$SECURITY_REPORTS_DIR/postgresql-prescan.txt" 2>&1 || true
-    
-    # Scan Redis image  
+    grype "$PG_IMAGE" -o table > "$SECURITY_REPORTS_DIR/postgresql-prescan.txt" 2>&1 || true
+
+    # Scan Redis image
     log_info "Scanning Redis image for vulnerabilities..."
-    docker scout cves "$REDIS_IMAGE" --only-severity critical,high > "$SECURITY_REPORTS_DIR/redis-prescan.txt" 2>&1 || true
-    
+    grype "$REDIS_IMAGE" -o table > "$SECURITY_REPORTS_DIR/redis-prescan.txt" 2>&1 || true
+
     log_success "Security scans completed. Reports saved to $SECURITY_REPORTS_DIR"
 fi