ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
agentguard-ci/docs/plans/phase2-step5-syft-grype.md
T
Elizabeth W a9224a41c1 note to split into multiple files
2026-04-19 22:29:53 -06:00

1.1 KiB
Raw Permalink Blame History

Implementation Plan: Syft & Grype Scanner

Objective

Implement the SBOM generation (Syft) and vulnerability scanning (Grype) step as a parallel task in the DAG.

Requirements

  • Define a task template named scan-syft-grype.
  • Depend on the clone-repo task.
  • Mount the shared PVC at /workspace.
  • Step A: Run Syft against /workspace to generate an SBOM (SPDX/CycloneDX format) -> /workspace/reports/sbom.json.
  • Step B: Run Grype against the generated SBOM (or the workspace directly) to find vulnerabilities.
  • Output Grype findings in SARIF format.
  • Save the Grype output to /workspace/reports/grype.sarif.
  • Ensure the task exits successfully (|| true) to allow Phase 3 aggregation.

Agent Instructions

  1. Add the scan-syft-grype template to the ClusterWorkflowTemplate.
  2. Wire it into the DAG alongside the other scanners.
  3. CRITICAL: File Splitting: Do NOT put everything into one giant file! Split your YAML manifests or configurations into separate, smaller files (e.g. using separate Helm template files, configmaps, or helper scripts) to prevent exhausting the context window.
Reference in New Issue View Git Blame Copy Permalink