From cb1e39cb617ea7b993063b5dae6574b81a70065c Mon Sep 17 00:00:00 2001
From: Andrew Lavery <laverya@umich.edu>
Date: Tue, 24 Mar 2026 16:29:12 -0400
Subject: [PATCH] run govulncheck and then grype (#2000)

* run govulncheck and then grype

* cleanup

* exclude bin/ from grype scans

* show path to file containing vuln in grype output
---
 .grype.tmpl |  4 ++++
 .grype.yaml |  3 +++
 Makefile    | 21 +++++++++++++--------
 3 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 .grype.tmpl
 create mode 100644 .grype.yaml

diff --git a/.grype.tmpl b/.grype.tmpl
new file mode 100644
index 00000000..fabefbef
--- /dev/null
+++ b/.grype.tmpl
@@ -0,0 +1,4 @@
+NAME	INSTALLED	FIXED-IN	TYPE	VULNERABILITY	SEVERITY	EPSS	RISK	PATH
+{{- range .Matches}}
+{{.Artifact.Name}}	{{.Artifact.Version}}	{{join .Vulnerability.Fix.Versions ","}}	{{.Artifact.Type}}	{{.Vulnerability.ID}}	{{.Vulnerability.Severity}}	{{.Vulnerability.EPSS}}	{{.Vulnerability.Risk}}	{{range .Artifact.Locations}}{{.AccessPath}}{{end}}
+{{- end}}
diff --git a/.grype.yaml b/.grype.yaml
new file mode 100644
index 00000000..b6afecbd
--- /dev/null
+++ b/.grype.yaml
@@ -0,0 +1,3 @@
+exclude:
+  - ./examples/**
+  - ./bin/**
diff --git a/Makefile b/Makefile
index 92f4d321..51ba93b6 100644
--- a/Makefile
+++ b/Makefile
@@ -255,14 +255,19 @@ sbom: sbom/assets/troubleshoot-sbom.tgz
 		sbom/assets/troubleshoot-sbom.tgz > sbom/assets/troubleshoot-sbom.tgz.sig
 	cosign public-key --key cosign.key --outfile sbom/assets/key.pub
 
+.PHONY: get-govulncheck
+get-govulncheck:
+	@command -v govulncheck >/dev/null 2>&1 || go install golang.org/x/vuln/cmd/govulncheck@latest
+
+.PHONY: get-grype
+get-grype:
+	@command -v grype >/dev/null 2>&1 || curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $(GOPATH)/bin
+
 .PHONY: scan
-scan:
-	trivy fs \
-		--scanners vuln \
-		--exit-code=1 \
-		--severity="HIGH,CRITICAL" \
-		--ignore-unfixed \
-		./
+scan: get-govulncheck get-grype
+	govulncheck ./...
+	grype db update
+	grype dir:. --only-fixed --fail-on high -o template -t .grype.tmpl
 
 .PHONY: watch
 watch: npm-install
@@ -296,4 +301,4 @@ longhorn:
 	find pkg/longhorn -type f | xargs sed -i "s/github.com\/longhorn\/longhorn-manager\/k8s\/pkg/github.com\/replicatedhq\/troubleshoot\/pkg\/longhorn/g"
 	find pkg/longhorn -type f | xargs sed -i "s/github.com\/longhorn\/longhorn-manager\/types/github.com\/replicatedhq\/troubleshoot\/pkg\/longhorn\/types/g"
 	find pkg/longhorn -type f | xargs sed -i "s/github.com\/longhorn\/longhorn-manager\/util/github.com\/replicatedhq\/troubleshoot\/pkg\/longhorn\/util/g"
-	rm -rf longhorn-manager
\ No newline at end of file
+	rm -rf longhorn-manager