code review comments

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

.github/workflows/scan-vulnerability.yaml → .github/workflows/scan.yaml

@@ -9,11 +9,11 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  validate:
+  scan:
     runs-on: ubuntu-latest
     name: Scan for vulnerabilities
     permissions:
-      contents: read 
+      contents: read
       pull-requests: read
 
     steps:
@@ -22,17 +22,28 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Environment setup # this is required for scanning ironbank images
+      - name: Environment setup
         uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
         with:
           username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
 
       - name: Scan the repository for vulnerabilities
         run: |
-          uds run vuln-check:grype-scan-sbom
+          uds run grype:install
+          uds run scan:vulns
+
+  upload-sarif:
+    needs: scan
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        repo: ['upstream', 'repo1']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Upload SARIF files
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.0.0
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
         with:
-          sarif_file: 'sarif/'
+          sarif_file: sarif/${{ matrix.repo }}/*.sarif

tasks.yaml

@@ -7,7 +7,8 @@ includes:
   - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/pull.yaml
   - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/deploy.yaml
   - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/setup.yaml
-  - vuln-check: ./tasks/scanvulnerability.yaml
+  - scan: ./tasks/scan.yaml
+  - grype: ./tasks/grype.yaml
 
 tasks:
   - name: default
@@ -65,4 +66,4 @@ tasks:
   - name: vuln-scan-package
     description: Scan the GitLab package for vulnerabilities
     actions:
-      - task: vuln-check:grype-scan-sbom
+      - task: scan:vulns

tasks/grype.yaml

@@ -0,0 +1,12 @@
+---
+tasks:
+  - name: install
+    description: Check if Grype is installed, if not install it
+    actions:
+      - cmd: |
+          if ! command -v grype &> /dev/null; then
+            echo "Grype could not be found, installing..."
+            curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+          else
+            echo "Grype is already installed."
+          fi

tasks/scan.yaml

@@ -0,0 +1,26 @@
+---
+tasks:
+  - name: vulns
+    description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities
+    actions:
+      - cmd: |
+          bash -c 'flavors=("upstream" "registry1")
+          for flavor in "${flavors[@]}"; do
+            output_dir="sbom/$flavor"
+            mkdir -p "$output_dir"
+            uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir"
+            for file in "$output_dir"/*.zst; do
+              uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress
+            done
+          done
+          for flavor in "${flavors[@]}"; do
+            sarif_output_dir="./sarif/$flavor"
+            mkdir -p "$sarif_output_dir"
+            find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do
+              sarif_file_name="$(basename "${json_file}").sarif"
+              echo "Processing $json_file"
+              echo "Outputting to $sarif_output_dir/$sarif_file_name"
+              grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true
+              echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
+            done
+          done'