comment grype scan results on PR, only works for PRs from …

.github/workflows/ci-build.yaml

@@ -84,18 +84,6 @@ jobs:
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
 
-      # Note: vulns found in scans do not currently block CI
-      - name: 'Grype scan APKs'
-        id: grype-scan
-        if: steps.file_check.outputs.exists == 'true'
-        run: |
-          set -x
-          for line in `cat packages.log`; do
-            # convert the melange output (e.g. "x86_64|grype|grype|0.63.0-r1" ) to an actual apk path
-            apk_path=$(echo "${line}" | awk '{ split($1, pkg, "|"); printf("packages/%s/%s-%s.apk\n", pkg[1], pkg[3], pkg[4]) }')
-            ./scripts/grype-scan-apk.sh "${apk_path}"
-          done
-
       - name: Check sonames
         id: soname
         if: steps.file_check.outputs.exists == 'true'
@@ -131,3 +119,29 @@ jobs:
         with:
           filePath: diff.log
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Note: vulns found in scans do not currently block CI
+      - name: Grype scan
+        id: grype_scan
+        if: steps.file_check.outputs.exists == 'true'
+        continue-on-error: true
+        run: |
+          ./scripts/grype-scan-packages-log.sh > grype_scan_results.md
+
+      - name: Check for scan results file
+        id: scan_file_check
+        run: |
+          if test -f "grype_scan_results.md"; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: PR comment scan
+        uses: thollander/actions-comment-pull-request@632cf9ce90574d125be56b5f3405cda41a84e2fd # v2.3.1
+        # We're seeing jobs using merge queues fail
+        continue-on-error: true
+        if: steps.scan_file_check.outputs.exists == 'true'
+        with:
+          filePath: grype_scan_results.md
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

scripts/grype-scan-packages-log.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# THIS SCRIPT IS EXPERIMENTAL!
+
+# IMPORTANT: One unfortunate trait of this script is that, by necessity (for
+# now), it uses what Grype calls "directory scanning catalogers" and not "image
+# scanning catalogers" (for more information on the difference, see
+# https://github.com/anchore/syft/#default-cataloger-configuration-by-scan-type).
+# The latter is desirable here, since it equates to scanning software that is
+# determined to be installed rather than merely referenced (e.g a test
+# dependency mentioned in a lockfile). The Grype team is aware of the need to
+# make it easier to scan 'installed' software in directory scans (see
+# https://github.com/anchore/syft/issues/1039), and we can improve this script
+# when that functionality is added.
+
+set -eo pipefail
+
+# Make sure Grype is installed.
+
+if ! command -v grype > /dev/null; then
+  echo "This script requires Grype to be installed. To install Grype, check out https://github.com/anchore/grype#installation."
+  exit 1
+fi
+
+# Check if packages.log file exists
+
+if [[ ! -f "packages.log" ]]; then
+  echo "Cannot find packages.log file.  No apks to scan."
+  exit 0
+fi
+
+# Optionally let the user pass in a Grype output flag argument.
+
+output_flag=""
+
+if [[ ${#1} -gt 0 ]]; then
+  output_flag="-o ${1}"
+fi
+
+set -u
+
+while IFS="|" read -r arch _ package version; do
+  apk_file="packages/${arch}/${package}-${version}.apk"
+  if [[ -f "$apk_file" ]]; then
+    echo "Processing ${apk_file}"
+    tmpdir=$(mktemp -d)
+
+    trap 'rm -rf "$tmpdir"' EXIT
+
+    tar -xf "$apk_file" -C "$tmpdir"
+
+    grype -q "$tmpdir" $output_flag
+  else
+    echo "File ${apk_file} not found."
+  fi
+done < "packages.log"