ci(scan): add Grype scanning alongside Trivy; fix --vuln-type flag

Add anchore/grype:v0.88.0 as a second vulnerability scanner in the scan job. Both images are scanned with Grype after Trivy — using --fail-on high --only-fixed to match Trivy's HIGH/CRITICAL + ignore-unfixed gate. Having two independent scanners catches CVEs that may be missing from either database. Also fix a typo in the Trivy claude scan step: --package-type is not a valid Trivy flag; corrected to --vuln-type (matching the proxy step). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 22:45:48 +02:00 · 2026-04-20 22:45:48 +02:00 · 71494a59b3
commit 71494a59b3
parent b741b02408
1 changed files with 21 additions and 2 deletions
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@ -11,6 +11,7 @@ env:
  FORGEJO_HOST: code.zeidler.dev
  HELM_EXPERIMENTAL_OCI: 1
  TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.70.0
+  GRYPE_IMAGE: registry.zeidler.dev/docker-hub/anchore/grype:v0.88.0

 jobs:
  check-docker:
@ -61,7 +62,7 @@ jobs:
            --format cyclonedx --output /output/sbom-proxy.cdx.json \
            scan/proxy:latest

-      - name: Scan proxy image
+      - name: Scan proxy image (Trivy)
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
@ -71,6 +72,15 @@ jobs:
            --format table \
            scan/proxy:latest

+      - name: Scan proxy image (Grype)
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            ${{ env.GRYPE_IMAGE }} \
+            docker:scan/proxy:latest \
+            --fail-on high \
+            --only-fixed
+
      - name: Build claude image for scanning
        run: docker build -t scan/claude:latest ./claude

@ -84,7 +94,7 @@ jobs:
            --format cyclonedx --output /output/sbom-claude.cdx.json \
            scan/claude:latest

-      - name: Scan claude image
+      - name: Scan claude image (Trivy)
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
@ -94,6 +104,15 @@ jobs:
            --format table \
            scan/claude:latest

+      - name: Scan claude image (Grype)
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            ${{ env.GRYPE_IMAGE }} \
+            docker:scan/claude:latest \
+            --fail-on high \
+            --only-fixed
+
      - name: Upload SBOMs
        if: always()
        uses: actions/upload-artifact@v4