build(compliance): add vulnerability scanning at release time and vulnerabilities verification#2786
Open
kaysavps wants to merge 3 commits intochainloop-dev:mainfrom
Open
build(compliance): add vulnerability scanning at release time and vulnerabilities verification#2786kaysavps wants to merge 3 commits intochainloop-dev:mainfrom
kaysavps wants to merge 3 commits intochainloop-dev:mainfrom
Conversation
…nerabilities verification Signed-off-by: Victoria <kaysa.vps@gmail.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yaml">
<violation number="1" location=".github/workflows/release.yaml:158">
P1: Missing `--kind SARIF` on `chainloop attestation add` for the vulnerability report. Every other attestation-add in this workflow specifies `--kind`, and since Grype outputs SARIF format, the kind should be explicitly set to ensure proper material categorization and policy evaluation.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
jiparis
reviewed
Mar 3, 2026
Signed-off-by: Victoria <kaysa.vps@gmail.com>
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yaml">
<violation number="1" location=".github/workflows/release.yaml:97">
P1: Security: Grype install script is fetched via a mutable tag (`v0.109.0`) instead of a pinned commit hash. Tags can be force-pushed, allowing the script content to change silently. This breaks the convention used by every other external reference in this workflow (Syft, actions/checkout, cosign-installer, goreleaser) which all pin to immutable commit SHAs. Pin the install script URL to the commit hash corresponding to `v0.109.0` to maintain supply chain integrity.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Signed-off-by: Victoria <kaysa.vps@gmail.com>
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yaml">
<violation number="1" location=".github/workflows/release.yaml:97">
P2: The version argument for the Grype binary was dropped. The Anchore install script defaults to `latest` when no version is specified, so the installed Grype version will float on every release run. Consider pinning a specific version (e.g., `sh -s -- -b /usr/local/bin v0.109.0`) to ensure reproducible vulnerability scans across releases.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
jiparis
approved these changes
Mar 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
{image}-{arch}-vulnerability-reportto the release attestation.vulnerability-managementpolicy group (severity HIGH) to the release contract so scan results are evaluated at release time.VEX is not used; the existing
.vexfiles are empty and support can be added later if we add exception statements.Please note that the github action itself have not been tested.
refs #2785