Skip to content

ci: set only-fixed on grype scan to skip unfixable CVEs#536

Merged
JAORMX merged 1 commit intomainfrom
ci/grype-only-fixed
Apr 21, 2026
Merged

ci: set only-fixed on grype scan to skip unfixable CVEs#536
JAORMX merged 1 commit intomainfrom
ci/grype-only-fixed

Conversation

@JAORMX
Copy link
Copy Markdown
Collaborator

@JAORMX JAORMX commented Apr 21, 2026

Summary

  • Adds only-fixed: true to the grype scan step in build-containers.yml.
  • Makes the HIGH+ severity gate ignore CVEs that have no available fix, so spec.yaml PRs aren't blocked by base-image drift the author cannot resolve.

Why

PR #509 (Pinecone MCP) is currently blocked by three HIGH findings in the generated image:

CVE Package Fix
CVE-2026-32631 git (apk) no Alpine fix yet
CVE-2026-27135 nghttp2-libs (apk) no fix yet
GHSA-c2c7-rcm5-vvqj picomatch (bundled in npm) 4.0.4

Two of the three have no remediation available, so failing the build on them offers no path to green other than waiting for an upstream patch. With only-fixed: true, grype still fails when a fix exists (picomatch above would still block until the base image bumps npm) but stops failing on CVEs we can't act on.

The base-image bump is still the right long-term fix; this change just keeps the gate actionable in the meantime.

Test plan

  • CI build-containers passes on this PR (no spec.yaml changed, so the grype matrix will skip — sanity-check by landing a subsequent no-op spec change or by rebasing PR feat: add Pinecone MCP server #509 on this)
  • After merge, PR feat: add Pinecone MCP server #509's build-containers (npx/pinecone-mcp/spec.yaml) should either go green (if picomatch has flowed through) or fail only on the picomatch fix, not the two apk CVEs

🤖 Generated with Claude Code

@JAORMX @claude
ci: set only-fixed on grype scan to skip CVEs without a fix
9eb8ba8 
Grype currently fails build-containers on HIGH+ CVEs even when upstream
has no available fix (e.g. CVE-2026-32631 git, CVE-2026-27135 nghttp2-libs
on Alpine). These block new spec.yaml PRs on base-image drift that the
PR author cannot resolve. With only-fixed: true, grype only fails on
vulnerabilities that actually have a remediation path, so the gate keeps
its meaning without blocking on nothing-to-do findings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@JAORMX JAORMX enabled auto-merge (squash) April 21, 2026 08:01
@JAORMX JAORMX requested review from rdimitrov and samuv April 21, 2026 08:02
@JAORMX JAORMX merged commit 872e39c into main Apr 21, 2026
2 checks passed
@JAORMX JAORMX deleted the ci/grype-only-fixed branch April 21, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

@samuv samuv Awaiting requested review from samuv

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JAORMX @rdimitrov