From 4b79e616af7bede2063099f5ac007a7b38330fd5 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Fri, 20 Mar 2026 10:41:31 +0200
Subject: [PATCH] chore: migrate from Trivy to Grype for vulnerability scanning

Replace aquasecurity/trivy-action with anchore/scan-action (Grype) v7.3.2.
Remove config scanning job (not supported by Grype).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/security.yml | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index b5024ee..b5c584e 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -13,27 +13,19 @@ permissions:
   contents: read
 
 jobs:
-  trivy-scan:
-    name: Trivy Security Scan
+  grype-scan:
+    name: Grype Security Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+      - name: Run Grype vulnerability scanner
+        id: grype-scan
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
         with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH'
-
-      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
-        with:
-          scan-type: 'config'
-          hide-progress: false
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH'
+          path: "."
+          only-fixed: true
+          output-format: "table"
+          fail-build: true
+          severity-cutoff: "high"