Skip to content

ci: use scanner actions#455

Merged
NARSimoes merged 4 commits intomasterfrom
nasimoes-ci-bump-actions
Mar 20, 2026
Merged

ci: use scanner actions#455
NARSimoes merged 4 commits intomasterfrom
nasimoes-ci-bump-actions

Conversation

@NARSimoes
Copy link
Copy Markdown
Contributor

@NARSimoes NARSimoes commented Mar 20, 2026
edited by coderabbitai bot
Loading

Summary

Release Note

Summary by CodeRabbit

  • Chores
    • Updated CI/CD action dependencies to newer pinned releases for improved maintenance and stability.
    • Added automated Docker image vulnerability scanning during builds and SARIF upload to Security events to surface high-severity findings (scans allowed to continue on failure).

@mm-cloud-bot
Copy link
Copy Markdown

mm-cloud-bot commented Mar 20, 2026

@NARSimoes: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

@NARSimoes NARSimoes mentioned this pull request Mar 20, 2026
Open
@NARSimoes NARSimoes marked this pull request as ready for review March 20, 2026 13:22
@mm-cloud-bot
Copy link
Copy Markdown

mm-cloud-bot commented Mar 20, 2026

@NARSimoes: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Mar 20, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9d4c5a1-793d-457d-af1d-a6b6820d9940

📥 Commits

Reviewing files that changed from the base of the PR and between 4df3fc9 and 2f86a56.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/ci.yml
📝 Walkthrough

Walkthrough

This PR updates pinned GitHub Action versions across CD, CI, and notify-release workflows and adds Docker image vulnerability scanning with Anchore/Grype plus SARIF uploads for both standard and FIPS CI builds.

Changes

Cohort / File(s) Summary
Workflow pins (CD & CI)
​.github/workflows/cd.yml, ​.github/workflows/ci.yml		 Updated action pins: actions/checkout → v6.0.2, docker/setup-buildx-action → v4.0.0, docker/login-action → v4.0.0; FIPS build: chainguard-dev/setup-chainctl → v0.5.0.
CI tool setup
​.github/workflows/ci.yml		 Updated actions/setup-go from v6.0.0 → v6.3.0 in lint, test, and build jobs.
CI security scanning
​.github/workflows/ci.yml		 Added anchore/scan-action (Grype) scans after image builds (standard and FIPS), generate SARIF (grype-results*.sarif), continue-on-error: true, and upload SARIF via github/codeql-action/upload-sarif.
Notify workflow pin
​.github/workflows/notify-release.yml		 Updated actions/checkout pin to the v6.0.2 commit reference.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Runner as GitHub Actions Runner
participant Build as Docker Buildx
participant Scan as Anchore / Grype (anchore/scan-action)
participant Upload as SARIF upload (github/codeql-action)
Runner->>Build: checkout + build images
Build->>Scan: provide image artifact for scanning
Scan->>Scan: run Grype, produce SARIF results
Scan->>Upload: emit SARIF file(s)
Upload->>Runner: upload SARIF to GitHub Security

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: use scanner actions' aligns with the primary change across all three workflow files, which adds Docker image vulnerability scanning steps using anchore/scan-action and uploads SARIF results.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch nasimoes-ci-bump-actions
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot requested changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 122-125: The two GitHub Actions steps that call
github/codeql-action/upload-sarif (e.g., the step named
ci/upload-grype-sarif-results that uploads "grype-results.sarif" and the other
upload step for FIPS results) need unique `category` inputs so one SARIF upload
doesn't overwrite the other; update both upload steps (the
github/codeql-action/upload-sarif uses) to add distinct category values (for
example "grype-standard" for "grype-results.sarif" and "grype-fips" for the FIPS
SARIF) via the `with:` block so each SARIF file is stored separately.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: afac1dad-ecf8-480f-a6d2-22a487374408

📥 Commits

Reviewing files that changed from the base of the PR and between df2ea26 and 4df3fc9.

📒 Files selected for processing (3)
  • .github/workflows/cd.yml
  • .github/workflows/ci.yml
  • .github/workflows/notify-release.yml

@mm-cloud-bot
Copy link
Copy Markdown

mm-cloud-bot commented Mar 20, 2026

@NARSimoes: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

@NARSimoes NARSimoes merged commit 8f8a8e1 into master Mar 20, 2026
14 checks passed
@NARSimoes NARSimoes deleted the nasimoes-ci-bump-actions branch March 20, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrleite andrleite andrleite approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@esarafianou esarafianou Awaiting requested review from esarafianou

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@NARSimoes @mm-cloud-bot @github-advanced-security @andrleite