{"id":22472987,"url":"https://github.com/truefoundry/github-workflows-public","last_synced_at":"2026-03-19T23:00:46.268Z","repository":{"id":260657627,"uuid":"881971088","full_name":"truefoundry/github-workflows-public","owner":"truefoundry","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-02T04:53:03.000Z","size":32,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-01T20:12:03.660Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/truefoundry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-01T15:51:56.000Z","updated_at":"2025-01-02T04:53:01.000Z","dependencies_parsed_at":"2024-11-01T17:18:53.419Z","dependency_job_id":"ef8b7a0b-2168-4020-9676-0c7711320bbc","html_url":"https://github.com/truefoundry/github-workflows-public","commit_stats":null,"previous_names":["truefoundry/github-workflows-public"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/truefoundry%2Fgithub-workflows-public","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/truefoundry%2Fgithub-workflows-public/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/truefoundry%2Fgithub-workflows-public/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/truefoundry%2Fgithub-workflows-public/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/truefoundry","download_url":"https://codeload.github.com/truefoundry/github-workflows-public/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245880817,"owners_count":20687613,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-06T12:18:19.414Z","updated_at":"2026-01-06T21:51:41.933Z","avatar_url":"https://github.com/truefoundry.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"**Update Grype Ignore File Workflow**\n\nA reusable GitHub Actions workflow that:\n\n1. **Builds** a Docker image for vulnerability scanning.\n2. **Ensures** a Grype configuration (`.grype.yaml` or custom path) exists.\n3. **Scans** the image with Anchore’s Grype action.\n4. **Restores** any custom config file path.\n5. **Updates** your Grype ignore list via a Python helper script.\n6. **Opens** a pull request with the updated ignore file if changes are detected.\n\n---\n\n## How to Use\n\nCall this workflow from another repository or workflow via `workflow_call`:\n\n```yaml\nname: Auto-update Grype Ignore\n\non:\n  schedule:\n    - cron: '0 3 * * *'   # daily at 03:00 UTC\n\njobs:\n  update-grype:\n    uses: truefoundry/github-workflows-public/.github/workflows/update-grype-report.yml@main\n    with:\n      artifactory_repository_url: tfy.jfrog.io/tfy-images\n      image_artifact_name: my-app-server\n      dockerfile_path: Dockerfile\n      image_context: .\n      image_scan_severity_cutoff: high\n      grype_fail_build: false\n      grype_config_file: .grype.yaml      # optional, defaults to .grype.yaml\n      grype_output_file: vulnerability-report.json\n      grype_output_format: json\n```\n\nThis will run the scan, update the ignore list in `.grype.yaml` (or your custom path), and create a PR if there are new ignores.\n\n---\n\n## Inputs\n\n| Name                         | Description                                                                             | Required | Default                     |\n| ---------------------------- | --------------------------------------------------------------------------------------- | -------- | --------------------------- |\n| `artifactory_repository_url` | URL of your JFrog Artifactory repository (e.g. `tfy.jfrog.io/tfy-images`)               | true     |                             |\n| `image_artifact_name`        | Name of the Docker image (e.g. `mlfoundry-server`)                                      | true     |                             |\n| `dockerfile_path`            | Path to the `Dockerfile`                                                                | false    | `Dockerfile`                |\n| `image_context`              | Build context for Docker                                                                | false    | `.`                         |\n| `image_build_args`           | Build-time arguments for Docker                                                         | false    | (none)                      |\n| `image_scan_severity_cutoff` | Minimum severity level to include in the scan                                           | false    | `critical`                  |\n| `grype_fail_build`           | Fail the job if Grype finds vulnerabilities above the cutoff                            | false    | `false`                     |\n| `grype_config_file`          | Path to a custom Grype config (will be moved to and from `.grype.yaml` during scanning) | false    | `.grype.yaml`               |\n| `grype_output_file`          | Filename for the scan report                                                            | false    | `vulnerability-report.json` |\n| `grype_output_format`        | Output format for the scan report (`json`, `table`, `cyclonedx`, etc.)                  | false    | `json`                      |\n\n---\n\n## Permissions\n\nThis workflow requires:\n\n```yaml\npermissions:\n  contents: write          # to push changes and open PRs\n```\n\nAlso ensure your caller passes a token (e.g. `workflow_repo_token`) with write rights to the target repo.\n\n---\n\n## Workflow Steps\n\n1. **Checkout** your repository and the shared `github-workflows-public` scripts.\n2. **Set up** Docker Buildx and Python.\n3. **Build \u0026 load** the Docker image tagged as `:grype-report`.\n4. **Prepare** `.grype.yaml`:\n\n    * Move a custom config into place or create an empty stub if missing.\n5. **Scan** the image with `anchore/scan-action@v6`.\n6. **Revert** `.grype.yaml` back to the original path (if custom).\n7. **Install** Python deps and run `get-vulnerabilities.py` to update the ignore list in your config file.\n8. **Diff** the config file; if changed, **open** a PR using `peter-evans/create-pull-request@v5`.\n\n---\n\n## Notes\nThere is a PR for custom config path for the anchore/scan-action. Until it is merged, the workflow will temporarily move the custom config to `.grype.yaml` for scanning and revert it back after.\nA [PR](https://github.com/anchore/scan-action/pull/427) has been raised to the `anchore/scan-action` repo to support custom config paths.\n\n## License\n\nMIT © TrueFoundry\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftruefoundry%2Fgithub-workflows-public","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftruefoundry%2Fgithub-workflows-public","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftruefoundry%2Fgithub-workflows-public/lists"}