From 93199f34d88943989aebb63c421a66fcb362fc3d Mon Sep 17 00:00:00 2001 From: Rishi Verma Date: Thu, 29 Aug 2024 21:16:58 -0700 Subject: [PATCH] Clarified local dir scan and ensure pre-commit scans only upon push --- .../security/dependency-vulnerability-scanning/README.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx b/docs/guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx index 4d2be82a3..2ce60499e 100644 --- a/docs/guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx +++ b/docs/guides/software-lifecycle/security/dependency-vulnerability-scanning/README.mdx @@ -71,7 +71,7 @@ GitHub Action for Grype vulnerability scanning. grype version ``` -2. Perform a scan of the local repository for vulnerabilities: +2. Perform a scan of the local repository for vulnerabilities. The below checks for vulnerabilities via any common package managers that are detected in your repository. See [Grype supported sources](https://github.com/anchore/grype?tab=readme-ov-file#supported-sources) for more information. ```bash grype dir:. @@ -95,7 +95,9 @@ GitHub Action for Grype vulnerability scanning. ⚠️ NOTE: We recommend installing this pre-commit hook only if you have downloaded grype, already scanned your repository and addressed any vulnerabilities. -The below steps, once enacted, will ensure that any local `git commit` actions taken will be followed by an automated vulnerability scan. If vulnerabilities at the CRITICAL level are found, the commit will be blocked by default. +⚠️ NOTE: The automated scan described below will NOT check for image vulnerabilities, rather, it uses the package dependency capability of Grype to look for third-party dependencies via `grype dir:.` + +The below steps, once enacted, will ensure that any local `git push` actions taken will be followed by an automated vulnerability scan. If vulnerabilities at the CRITICAL level are found, the push will be blocked by default. 1. Install the pre-commit framework via Python: ```bash