From a8ee9cad91bf6d3554e6059ead71c6395a1b57f6 Mon Sep 17 00:00:00 2001 From: Nik08 Date: Thu, 26 Mar 2026 16:36:10 +0530 Subject: [PATCH 1/2] ci: add grype scan config and rename workflow file - Add perform-grype-scan: true to enable Grype vulnerability scanning - Add grype-fail-on-high: true to fail build on high severity CVEs - Add grype-fail-on-critical: true to fail build on critical severity CVEs - Rename ci-main-pull-request-stub-1.0.8.yml to ci-main-pull-request-stub.yml - Add trailing newline at end of file Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Nik08 --- ...equest-stub-1.0.8.yml => ci-main-pull-request-stub.yml} | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) rename .github/workflows/{ci-main-pull-request-stub-1.0.8.yml => ci-main-pull-request-stub.yml} (98%) diff --git a/.github/workflows/ci-main-pull-request-stub-1.0.8.yml b/.github/workflows/ci-main-pull-request-stub.yml similarity index 98% rename from .github/workflows/ci-main-pull-request-stub-1.0.8.yml rename to .github/workflows/ci-main-pull-request-stub.yml index 80c6d23..8232b1a 100644 --- a/.github/workflows/ci-main-pull-request-stub-1.0.8.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -106,6 +106,11 @@ jobs: perform-language-linting: true # Perform language-specific linting and pre-compilation checks perform-trufflehog-scan: true perform-trivy-scan: true + + # grype vulnerability scanning + perform-grype-scan: true + grype-fail-on-high: true + grype-fail-on-critical: true # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language build: true @@ -176,4 +181,4 @@ jobs: # udf1: 'default' # user defined flag 1 # udf2: 'default' # user defined flag 2 - # udf3: 'default' # user defined flag 3 + # udf3: 'default' # user defined flag 3 From b60715df2f97ee666bf4ca9412f446cbba224297 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 26 Mar 2026 23:48:41 +0530 Subject: [PATCH 2/2] CHEF-33010 Fix SBOM pipeline: add run-bundle-install to generate Gemfile.lock at runtime Signed-off-by: Nikita Mathur Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci-main-pull-request-stub.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 8232b1a..cdc87a1 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -175,6 +175,7 @@ jobs: # perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above + run-bundle-install: true # generate Gemfile.lock at runtime for SBOM pipeline blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name blackduck-force-low-accuracy-mode: false # if true, forces BlackDuck Detect to run in low accuracy mode which can reduce scan time for large projects at the cost of potentially missing some vulnerabilities; see https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/1138617921/Black+Duck+Detect+Accuracy+Levels for details