chore: grype src scan pi28 (#179)

* chore: configure grype src code scan

* feat: add gyrpe src scan and update deps

---------

Co-authored-by: Juan Correa <gibaros@users.noreply.github.com>

Author: gibaros

.circleci/config.yml

@@ -1,11 +1,32 @@
+# CircleCI configuration using the mojaloop/build orb
+# This streamlined config uses the mojaloop/build orb for standardized CI/CD workflows
+#
+# The orb automatically handles:
+# - PR title checking
+# - Dependency installation and caching
+# - Linting
+# - Unit, integration, and functional testing
+# - Vulnerability checking (npm audit)
+# - License scanning
+# - Grype security scanning (source code scanning for this library)
+# - Automated releases to npm and GitHub
+# - Slack notifications
+#
+# To enable this configuration:
+# 1. Go to CircleCI project settings → Advanced
+# 2. Ensure "Enable dynamic config using setup workflows" is enabled
+
 version: 2.1
 setup: true
+
 orbs:
-  build: mojaloop/build@1.0.64
+  build: mojaloop/build@1.1.6
+
 workflows:
   setup:
     jobs:
       - build/workflow:
+          context: org-global
           filters:
             tags:
-              only: /v\d+(\.\d+){2}(-[a-zA-Z-][0-9a-zA-Z-]*\.\d+)?/
+              only: /v\d+(\.\d+){2}(-[a-zA-Z-][0-9a-zA-Z-]*\.\d+)?/

.grype.yaml

@@ -1,14 +1,40 @@
-disabled: true
+# Grype vulnerability scanning configuration for central-services-stream
+# This is a library project without Docker images, so we use source scanning
+scan-type: source
 
+# Enable vulnerability scanning
+disabled: false
+
+# Vulnerability ignore rules
+# Add specific CVEs here if they are false positives or acceptable risks
 ignore:
+  # Example format for ignoring specific vulnerabilities:
+  # - vulnerability: "CVE-2023-xxxxx"
+  #   reason: "False positive in dev dependency that doesn't affect production"
+  # - vulnerability: "GHSA-xxxx-xxxx-xxxx"
+  #   package:
+  #     name: "package-name"
+  #     version: "1.0.0"
+  #   reason: "Not exploitable in our usage context"
 
-# Set output format defaults
+# Output formats for scan results
 output:
-  - "table"
-  - "json"
-
-# Modify your CircleCI job to check critical count
-search:
-  scope: "squashed"
-quiet: false
-check-for-app-update: false
+  - "table"  # Human-readable table format
+  - "json"   # Machine-readable JSON for further processing
+
+# Grype configuration options
+quiet: false                    # Show progress and status messages
+check-for-app-update: false     # Don't check for Grype updates during CI
+only-fixed: false               # Show all vulnerabilities, not just those with fixes
+add-cpes-if-none: false         # Don't add CPEs if none are found
+by-cve: false                   # Group by vulnerability rather than CVE
+
+# Database settings
+db:
+  auto-update: true             # Auto-update the vulnerability database
+  validate-age: true            # Validate the age of the vulnerability database
+  max-allowed-built-age: 120h   # Maximum age of the vulnerability database (5 days)
+
+# Severity thresholds (handled by the orb, but documented here for clarity)
+# The build will fail on Critical, High, or Medium severity vulnerabilities
+# Low and Negligible severities are reported but won't fail the build

README.md

@@ -8,6 +8,10 @@
 
 Streaming library for central services
 
+## CI/CD
+
+This repository uses the [mojaloop/build](https://github.com/mojaloop/ci-config-orb-build) CircleCI orb for standardized CI/CD workflows, including automated Grype vulnerability scanning for source code security.
+
 ## Usage
 
 ### Kafka