Merge pull request #7 from riverma/issue-155

Issue 155
riverma · Jul 30, 2024 · 8c181e8 · 8c181e8
2 parents 11be543 + 0be593d
commit 8c181e8
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/...ides/software-lifecycle/security/dependency-vulnerability-scanning/.pre-commit-config.yml b/...ides/software-lifecycle/security/dependency-vulnerability-scanning/.pre-commit-config.yml
@@ -4,5 +4,6 @@ repos:
       - id: grype-cve-scan
         name: Grype Vulnerability Scan
         description: Scans for dependency vulnerabilities. Fails if CRITICAL vulnerabilities detected.
-        entry: python -c "import subprocess; import sys; result=subprocess.run(['grype', 'dir:.', '--fail-on', 'critical'], capture_output=True); print(result.stdout.decode()); print('CRITICAL vulnerabilities deteced. Please run scan, address issues via `grype dir:.` and `git add` then `git commit` your fix or ignore via `git commit --no-verify`'); sys.exit(result.returncode)"
-        language: system
+        entry: python -c "import os; import subprocess; import sys; os.environ['GRYPE_DB_AUTO_UPDATE'] = 'false'; result=subprocess.run(['grype', 'dir:.', '--fail-on', 'critical'], capture_output=True); print(result.stdout.decode()); print('CRITICAL level vulnerabilities found. To address issues, run scan via `grype dir:.`, then `git add` followed by `git commit` your fix or ignore via `git commit --no-verify`') if result.returncode != 0 else print('No CRITICAL level vulnerabilities found.'); sys.exit(result.returncode)"
+        language: system
+        verbose: true
diff --git a/...guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx b/...guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx
@@ -65,7 +65,7 @@ Download the file above to access the pre-commit configuration file, which inclu
 
 ### Step 2: Setup Automated Local Scanning of Container Vulnerabilities
 
-⚠️ NOTE: We recommend installing this pre-commit hook only if you have already scanned your repository and addressed any vulnerabilities.
+⚠️ NOTE: We recommend installing this pre-commit hook only if you have downloaded grype, already scanned your repository and addressed any vulnerabilities.
 
 The below steps, once enacted, will ensure that any local `git commit` actions taken will be followed by an automated vulnerability scan. If vulnerabilities at the CRITICAL level are found, the commit will be blocked by default.
 
@@ -84,9 +84,10 @@ The below steps, once enacted, will ensure that any local `git commit` actions t
 4. Grype-based vulnerability scanning should run every time a `git commit` is invoked. The commit will be blocked if CRITICAL level vulnerabilities are found and will ask the developer to fix them prior to committing. 
 
 ### Step 3: Set Up Automated Repository Scanning
-- **GitHub**:
-   - We recommend installing the official Grype GitHub action to set up automated dependency vulnerability scanning. Available [at this link](https://github.com/marketplace/actions/anchore-container-scan).
-   - We also recommend setting up GitHub's official Dependabot action to also look for vulnerabilities. See our [GitHub Security Guide](/docs/guides/software-lifecycle/security/github-security) on this. 
+
+For GitHub users, we recommend:
+   - Installing the official Grype GitHub action to set up automated dependency vulnerability scanning. The tool is available [at this link](https://github.com/marketplace/actions/anchore-container-scan).
+   - Setting up GitHub's official Dependabot action to also look for vulnerabilities. See our [GitHub Security Guide](/docs/guides/software-lifecycle/security/github-security) on this. 
 
 ---