ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
963e020efae702fadde7646bd41d9265fadcdd0a
agentguard-ci/docs/plans/phase2-step5-syft-grype.md
T
Elizabeth W 963e020efa plan files
2026-04-19 22:12:00 -06:00

19 lines
857 B
Markdown
Raw Blame History

# Implementation Plan: Syft & Grype Scanner
## Objective
Implement the SBOM generation (Syft) and vulnerability scanning (Grype) step as a parallel task in the DAG.
## Requirements
- Define a task template named `scan-syft-grype`.
- Depend on the `clone-repo` task.
- Mount the shared PVC at `/workspace`.
- Step A: Run Syft against `/workspace` to generate an SBOM (SPDX/CycloneDX format) -> `/workspace/reports/sbom.json`.
- Step B: Run Grype against the generated SBOM (or the workspace directly) to find vulnerabilities.
- Output Grype findings in SARIF format.
- Save the Grype output to `/workspace/reports/grype.sarif`.
- Ensure the task exits successfully (`|| true`) to allow Phase 3 aggregation.
## Agent Instructions
1. Add the `scan-syft-grype` template to the `ClusterWorkflowTemplate`.
2. Wire it into the DAG alongside the other scanners.
Reference in New Issue View Git Blame Copy Permalink