fix: install grype with checksum verification for container scan reports (#180)

coopernetes · web-flow · commit f5544c7d0922 · 2026-04-21T08:25:45.000-04:00
diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml
@@ -11,6 +11,8 @@ jobs:
   grype:
     name: Container Scan
     runs-on: ubuntu-latest
+    env:
+      GRYPE_VERSION: "0.111.0"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
@@ -20,6 +22,7 @@ jobs:
         id: scan
         with:
           image: ghcr.io/coopernetes/git-proxy-java:latest
+          grype-version: ${{ env.GRYPE_VERSION }}
           fail-build: true
           severity-cutoff: high
           only-fixed: true
@@ -30,6 +33,16 @@ jobs:
       # in the GitHub Security tab (high CVSS score ≠ high actual risk for this workload).
       # The build still fails on high/critical with a fix available via fail-build: true above.
 
+      - name: Install grype
+        if: always()
+        run: |
+          curl -sSfL -o /tmp/grype.tar.gz \
+            https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
+          curl -sSfL -o /tmp/grype_checksums.txt \
+            https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt
+          grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" /tmp/grype_checksums.txt | sha256sum --check --ignore-missing
+          tar -xzf /tmp/grype.tar.gz -C /usr/local/bin grype
+
       - name: Generate human-readable report
         if: always()
         run: |
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -86,6 +86,8 @@ jobs:
       contents: read
       security-events: write
     if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    env:
+      GRYPE_VERSION: "0.111.0"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
@@ -95,6 +97,7 @@ jobs:
         id: scan
         with:
           image: ghcr.io/${{ github.repository }}@${{ needs.build-and-push.outputs.digest }}
+          grype-version: ${{ env.GRYPE_VERSION }}
           fail-build: true
           severity-cutoff: high
           only-fixed: true
@@ -105,6 +108,16 @@ jobs:
       # in the GitHub Security tab (high CVSS score ≠ high actual risk for this workload).
       # The build still fails on high/critical with a fix available via fail-build: true above.
 
+      - name: Install grype
+        if: always()
+        run: |
+          curl -sSfL -o /tmp/grype.tar.gz \
+            https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
+          curl -sSfL -o /tmp/grype_checksums.txt \
+            https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt
+          grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" /tmp/grype_checksums.txt | sha256sum --check --ignore-missing
+          tar -xzf /tmp/grype.tar.gz -C /usr/local/bin grype
+
       - name: Generate human-readable report
         if: always()
         run: |
