kong
kong copied to clipboard
chore(security): add .grype.yaml to ignore negeligible vulnerabilities
Summary
Our release GHA workflow scans generated Docker images and reports vulnerabilities.
Some of the vulnerabilities are negligible and some won't be fixed by upstream. This PR adds a Grype configuration to ignore those vulnerabilities.
According to https://github.com/anchore/grype#configuration and https://github.com/marketplace/actions/anchore-container-scan#additional-configuration, we put the .grype.yaml
in the root of the repo.
Checklist
- [n/a] The Pull Request has tests
- [n/a] There's an entry in the CHANGELOG
- [n/a] There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE
Full changelog
- add
.grype.yaml
to ignore negligible and won't-fix vulnerabilities
Issue reference
Fix #FTI-5195
@kikito FYI. Thanks.
2.8.4.3-rc1
still reports the vulnerability: https://github.com/Kong/kong-ee/actions/runs/6081756831
Close due to no authority decision.
Testing the pull request