ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8c2c420bffcb34d9f08751db2b788798f879c797
agentguard-ci/docs/plans/phase2-step5-syft-grype.md
T
Elizabeth W 963e020efa plan files
2026-04-19 22:12:00 -06:00

857 B
Raw Blame History

Implementation Plan: Syft & Grype Scanner

Objective

Implement the SBOM generation (Syft) and vulnerability scanning (Grype) step as a parallel task in the DAG.

Requirements

  • Define a task template named scan-syft-grype.
  • Depend on the clone-repo task.
  • Mount the shared PVC at /workspace.
  • Step A: Run Syft against /workspace to generate an SBOM (SPDX/CycloneDX format) -> /workspace/reports/sbom.json.
  • Step B: Run Grype against the generated SBOM (or the workspace directly) to find vulnerabilities.
  • Output Grype findings in SARIF format.
  • Save the Grype output to /workspace/reports/grype.sarif.
  • Ensure the task exits successfully (|| true) to allow Phase 3 aggregation.

Agent Instructions

  1. Add the scan-syft-grype template to the ClusterWorkflowTemplate.
  2. Wire it into the DAG alongside the other scanners.
Reference in New Issue View Git Blame Copy Permalink