🔧 chore(security): consolidate dep/CVE scanning on Grype + govulncheck#21
Merged
Conversation
Portwing never carried Snyk on the repo side (no .snyk policy, no workflow step, no badge), so there's nothing to remove here. Snyk's SCM integration is being decommissioned org-wide because it scans the Go module requirement graph (go mod graph) rather than the compiled build graph and over-reports advisories in modules the binary never links in. This brings the existing Grype + govulncheck scan up to the sockguard pattern: - 🔄 Rename security-vuln-weekly.yml -> security-grype.yml; rename the source job to grype-deps (Go go.mod/go.sum + npm lockfiles in one pass). - ✨ Add a path-filtered pull_request trigger (source/deps/Dockerfile/the workflow itself); keep the weekly cron + workflow_dispatch. - 🔧 Guard the heavy container build off PRs (govulncheck + grype-deps carry fast PR coverage); grype-image stays on schedule/manual. - 🐛 Give each upload-sarif a distinct category (grype-image/grype-deps/gosec) so same-tool Grype SARIF uploads no longer clobber each other in code scanning. - 🔧 Pin govulncheck's Go toolchain to go.mod instead of a floating "1.26". - 📝 CHANGELOG: document the consolidation and the module-graph-vs-build-graph rationale under Unreleased -> Changed. Verified: actionlint + zizmor clean on the new workflow; grype scan of the git-archived tracked tree reports no vulnerabilities.
scttbnsn
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
biggest-littlest
approved these changes
Jun 16, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
LGTM — Grype + govulncheck consolidation, PR-guarded image scan, distinct SARIF categories.
ALARGECOMPANY
previously approved these changes
Jun 16, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Approved. Workflow change is clean, scan posture is sound.
…ort-only Surfaced by running security-grype.yml on PRs: - 🐛 govulncheck: go-version-file resolved to go.mod's `go 1.26.0` (no toolchain directive), which reports stdlib advisories already fixed in 1.26.1+ (GO-2026-4599/4600/4601). Revert to go-version "1.26" to track the latest patch, matching the gating ci.yml scan and how the binary is built. - 🔧 gosec: add -no-fail so its heuristic findings (e.g. G115 int->uint in the mockdocker benchmark helper) feed the Security tab via SARIF without failing the run; CodeQL/Grype/govulncheck handle build gating. - 📝 CHANGELOG: correct the entry to drop the reverted go-version-file claim.
scttbnsn
dismissed stale reviews from biggest-littlest and ALARGECOMPANY
via
e504651
biggest-littlest
previously approved these changes
Jun 16, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Re-approve: govulncheck back on latest 1.26.x, gosec report-only. Workflow's own jobs green now.
biggest-littlest
approved these changes
Jun 16, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Re-approve at e504651 — workflow jobs green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings Portwing's existing Grype + govulncheck scan up to the sockguard
security-grype.ymlpattern. Portwing never carried Snyk on the repo side, so nothing was removed here — Snyk's SCM integration is being decommissioned org-wide (it scans the Go module requirement graph, not the compiled build graph, and over-reports advisories the binary never links in).security-vuln-weekly.yml→security-grype.yml; source job →grype-deps(Gogo.mod/go.sum+ npm lockfiles in one pass).pull_requesttrigger; keep weekly cron +workflow_dispatch.grype-imagestays on schedule/manual).category:per scanner so same-tool Grype SARIF uploads stop clobbering each other.go.mod(was floating"1.26").Verified locally: actionlint + zizmor clean;
grypeover the git-archived tracked tree reports no vulnerabilities.