Add Chef Automate Container Scanning and Remove Trivy Integration#40
Merged
brianLoomis merged 52 commits intomainfrom Mar 27, 2026
Merged
Add Chef Automate Container Scanning and Remove Trivy Integration#40brianLoomis merged 52 commits intomainfrom
brianLoomis merged 52 commits intomainfrom
Conversation
Add documentation for the intelligent major version matching feature that ensures stable and current channel comparisons use the same major version, providing more meaningful vulnerability trend analysis. Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
… is failing Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
peter-at-progress
requested review from
brianLoomis and
sean-sype-simmons
as code owners
peter-at-progress
force-pushed
the
peter-at-progress/vuln-scan
branch
from
391bd5e to
d738c7d
Compare
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
Signed-off-by: peter-at-progress <parsenau@progress.com> Signed-off-by: Peter Arsenault <parsenau@progress.com>
updated documentation removed some options for stub versions Signed-off-by: Sean Simmons <ssimmons@progress.com>
Signed-off-by: Sean Simmons <ssimmons@progress.com>
Signed-off-by: Sean Simmons <ssimmons@progress.com>
Signed-off-by: Sean Simmons <ssimmons@progress.com>
…l edits later Signed-off-by: Progress Copyright Bot <copyright@progress.com>
Signed-off-by: cgunasree08 <Chintha.Gunasree@progress.com>
Signed-off-by: cgunasree08 <Chintha.Gunasree@progress.com>
Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
…nstall project deps Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
Signed-off-by: Clinton Wolfe <156460+clintoncwolfe@users.noreply.github.com>
Signed-off-by: Nandan Hegde <220186393+nandanhegde73@users.noreply.github.com>
Signed-off-by: sandhi <sagarwal@progress.com>
Fix timeout issue
* changes for pipeline for security pipelines * Fixes for Polaris Signed-off-by: sandhi <sagarwal@progress.com> --------- Signed-off-by: sandhi <sagarwal@progress.com> Co-authored-by: sandhi <sagarwal@progress.com>
Signed-off-by: sandhi <sagarwal@progress.com>
* setting git config to install private gems Signed-off-by: nikhil2611 <ngupta@progress.com> * updated with github config in sbom.yml also Signed-off-by: nikhil2611 <ngupta@progress.com> * updated the var name Signed-off-by: nikhil2611 <ngupta@progress.com> * Security: Replace git config with bundler config for gem credentials Signed-off-by: nikhil2611 <ngupta@progress.com> * testing with feature branch Signed-off-by: nikhil2611 <ngupta@progress.com> * reverted back to main Signed-off-by: nikhil2611 <ngupta@progress.com> * added the condition for PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE Signed-off-by: nikhil2611 <ngupta@progress.com> * making logs better Signed-off-by: nikhil2611 <ngupta@progress.com> * updating to feature branch to test the changes Signed-off-by: nikhil2611 <ngupta@progress.com> * revert back to main Signed-off-by: nikhil2611 <ngupta@progress.com> --------- Signed-off-by: nikhil2611 <ngupta@progress.com>
* Added support for ruby-erlang Signed-off-by: shanmugapriya-tr <shanmugapriya.tiruchengoderamanathan@progress.com> * Add debug output for language parameter and HEX detector exclusion * Use ruby-erlang branch for sbom workflow to include HEX detector exclusion * Fix BlackDuck policy violation count parsing to extract correct numbers --------- Signed-off-by: shanmugapriya-tr <shanmugapriya.tiruchengoderamanathan@progress.com>
…34) * Add Grype Habitat package scan workflow with build and install modes * Only fixed vulnerabilities Signed-off-by: sandhi <sagarwal@progress.com> * Only fixed vulnerabilities Signed-off-by: sandhi <sagarwal@progress.com> --------- Signed-off-by: sandhi <sagarwal@progress.com>
Signed-off-by: sandhi <sagarwal@progress.com>
peter-at-progress
force-pushed
the
peter-at-progress/vuln-scan
branch
from
d738c7d to
89f942c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces two major changes to the vulnerability scanning workflow:
1. New: Chef Automate Container Scanning Mode
Adds a complete GitHub Action for scanning Chef Automate's embedded Habitat packages in containerized environments:
chefandcoreorigins using Grypestableandcurrentrelease channelsout/container/automate/{channel}/{os}/{version}/{arch}/Key features:
chefandcoreHabitat origins2. Breaking: Complete Removal of Trivy Integration
Permanently removes all Trivy-related functionality from chef-download-grype-snapshot action following the second Trivy security compromise (March 2026):
run.py)enable_trivy,trivy_scanners,trivy_severity,trivy_ignore_unfixed,trivy_timeout,trivy_cache_dirAll vulnerability scanning is now performed exclusively by Grype for improved security posture and consistency.
3. New: Database Integration for Vulnerability Trends
Adds
insert-scan-resultsaction for PostgreSQL-backed vulnerability analytics:native_scan_results,habitat_scan_results,container_scan_results)ON CONFLICT- safe for workflow retriesskip_trend_insertoption for test/on-demand scans4. Additional Enhancements
download_sitedimension (commercial/community/cinc) for database trackingHAB_AUTH_TOKENhandling for protected Habitat channelsRelated Issue
N/A
Types of changes
Breaking changes:
Checklist:
Gemfile.lockhas changed, I have used--conservativeto do it and included the full output in the Description above.