Closed SammySteiner closed 5 months ago
ellery-nava
commented
5 months ago Do we need to update the README with any instructions on installing and running Grype? Should it be run automatically on PRs? Or are we expecting developers to run manually?
SammySteiner
commented
5 months ago Do we need to update the README with any instructions on installing and running Grype? Should it be run automatically on PRs? Or are we expecting developers to run manually?
I haven't been on a project where developers were running it manually, unless there was a vulnerability identified by the scan. At which point, you can run it locally, but I think most people were relying on the ci pipeline to run when push changes to the PR.
ellery-nava
commented
5 months ago Makes sense - is this adding to the CI workflows part of this ticket? Not familiar with how much comes out of the box usually on Platform projects
SammySteiner
commented
5 months ago Makes sense - is this adding to the CI workflows part of this ticket? Not familiar with how much comes out of the box usually on Platform projects
The ticket referenced the template-nextjs repo's implementation, which only contains the bin script update and the .grype.yml file, it's assuming the ci workflow is coming from the infra repo. So I decided to use that implementation as my guide for how far to take it.
Ticket
Changes
Context for reviewers
Tested by running grype locally on database image and application image with and without the .grype.yml file to make sure it was loading and formatted correctly.
Testing
Install and run Grype locally with and without the .grype.yml file ignore to confirm it is working as intended.