changes for grype config

Signed-off-by: naveensrinivasan <[email protected]>
defenseunicorns · Apr 3, 2024 · 6c4a1ea · 6c4a1ea
1 parent a0fdb60
commit 6c4a1ea
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 24 deletions.
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -62,7 +62,7 @@ jobs:
       - name: Scan the repository for vulnerabilities - Registry1
         run: |
           uds run grype:install
-          uds run create-grype-config
+          uds run grype:create-grype-config
           uds run scan:registry1
         env:
           GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}

diff --git a/tasks/grype.yaml b/tasks/grype.yaml
@@ -10,3 +10,27 @@ tasks:
           else
             echo "Grype is already installed."
           fi
+
+  - name: create-grype-config
+    description: Generate a .grype.yaml configuration file with registry credentials
+    actions:
+      - cmd: |
+          bash -c '
+            # Ensure the environment variables are set
+            if [[ -z "$GRYPE_USERNAME" || -z "$GRYPE_PASSWORD" ]]; then
+              echo "GRYPE_USERNAME and GRYPE_PASSWORD environment variables must be set."
+              exit 1
+            fi
+
+            # Create or overwrite the .grype.yaml file
+            cat > .grype.yaml << EOF
+            # Grype Configuration File
+            registry:
+              auth:
+                - authority: "registry1.dso.mil"
+                  username: "$GRYPE_USERNAME"
+                  password: "$GRYPE_PASSWORD"
+            EOF
+
+            echo ".grype.yaml configuration file created with registry credentials."
+          '
diff --git a/tasks/scan.yaml b/tasks/scan.yaml
@@ -22,6 +22,7 @@ tasks:
               echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
               # Extract the base name of the SBOM file without the .json extension
               sbom_base_name=$(basename "$json_file" .json)
+              # Use yq to replace the path with the SBOM file name without the .json extension
               yq eval "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) = \"$sbom_base_name\"" "$sarif_output_dir/$sarif_file_name" -i
               echo "Updated SARIF file path to $sbom_base_name using yq for $sarif_file_name"
             done
@@ -49,26 +50,3 @@ tasks:
               echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
             done
           '
-  - name: create-grype-config
-    description: Generate a .grype.yaml configuration file with registry credentials
-    actions:
-      - cmd: |
-          bash -c '
-            # Ensure the environment variables are set
-            if [[ -z "$GRYPE_USERNAME" || -z "$GRYPE_PASSWORD" ]]; then
-              echo "GRYPE_USERNAME and GRYPE_PASSWORD environment variables must be set."
-              exit 1
-            fi
-
-            # Create or overwrite the .grype.yaml file
-            cat > .grype.yaml << EOF
-            # Grype Configuration File
-            registry:
-              auth:
-                - authority: "registry1.dso.mil"
-                  username: "$GRYPE_USERNAME"
-                  password: "$GRYPE_PASSWORD"
-            EOF
-
-            echo ".grype.yaml configuration file created with registry credentials."
-          '