run govulncheck and then grype (#2000)

* run govulncheck and then grype

* cleanup

* exclude bin/ from grype scans

* show path to file containing vuln in grype output

.grype.tmpl

@@ -0,0 +1,4 @@
+NAME	INSTALLED	FIXED-IN	TYPE	VULNERABILITY	SEVERITY	EPSS	RISK	PATH
+{{- range .Matches}}
+{{.Artifact.Name}}	{{.Artifact.Version}}	{{join .Vulnerability.Fix.Versions ","}}	{{.Artifact.Type}}	{{.Vulnerability.ID}}	{{.Vulnerability.Severity}}	{{.Vulnerability.EPSS}}	{{.Vulnerability.Risk}}	{{range .Artifact.Locations}}{{.AccessPath}}{{end}}
+{{- end}}

.grype.yaml

@@ -0,0 +1,3 @@
+exclude:
+  - ./examples/**
+  - ./bin/**

Makefile

@@ -255,14 +255,19 @@ sbom: sbom/assets/troubleshoot-sbom.tgz
 		sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
 	cosign public-key --key cosign.key --outfile sbom/assets/key.pub
 
+.PHONY: get-govulncheck
+get-govulncheck:
+	@command -v govulncheck >/dev/null 2>&1 || go install golang.org/x/vuln/cmd/govulncheck@latest
+
+.PHONY: get-grype
+get-grype:
+	@command -v grype >/dev/null 2>&1 || curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $(GOPATH)/bin
+
 .PHONY: scan
-scan:
-	trivy fs \
-		--scanners vuln \
-		--exit-code=1 \
-		--severity="HIGH,CRITICAL" \
-		--ignore-unfixed \
-		./
+scan: get-govulncheck get-grype
+	govulncheck ./...
+	grype db update
+	grype dir:. --only-fixed --fail-on high -o template -t .grype.tmpl
 
 .PHONY: watch
 watch: npm-install
@@ -296,4 +301,4 @@ longhorn:
 	find pkg/longhorn -type f | xargs sed -i "s/github.com\/longhorn\/longhorn-manager\/k8s\/pkg/github.com\/replicatedhq\/troubleshoot\/pkg\/longhorn/g"
 	find pkg/longhorn -type f | xargs sed -i "s/github.com\/longhorn\/longhorn-manager\/types/github.com\/replicatedhq\/troubleshoot\/pkg\/longhorn\/types/g"
 	find pkg/longhorn -type f | xargs sed -i "s/github.com\/longhorn\/longhorn-manager\/util/github.com\/replicatedhq\/troubleshoot\/pkg\/longhorn\/util/g"
-	rm -rf longhorn-manager
+	rm -rf longhorn-manager