Skip to content

feat(security): support project vulnerability scanning and VEX statements#5029

Open
brandtkeller wants to merge 17 commits into
mainfrom
3842_vuln_workflow
Open

feat(security): support project vulnerability scanning and VEX statements#5029
brandtkeller wants to merge 17 commits into
mainfrom
3842_vuln_workflow

Conversation

@brandtkeller

@brandtkeller brandtkeller commented Jul 1, 2026

Copy link
Copy Markdown
Member

Description

Users have been (appropriately) approaching the project with scanner findings from Zarf. Many of these are occurrences of transitive indirect dependency vulnerabilities that do not affect Zarf itself and are not reachable. In order to reduce cognitive burden for both maintainers and users - we're creating policy and VEX statements to help provide releasable evidence to suppress scanner findings with context from the maintainers.

At the same time, monitoring the vulnerability surface has been adhoc and not automated.

This PR addresses this gap and adds automation to support earlier identification of findings and discoverable (and transient) adjudication information.

  1. This adds a nightly (or manually executed) workflow to scan for CVE's using both govulncheck and grype. govulncheck provides scanner findings directly to the project security dashboard and adds context we can then correlate to grype which publishes potentially non-reachable findings that users otherwise would want information about why they are not applicable. If there are high/critical findings the workflow will fail.

  2. We create a vex workflow (documented) that offers a point of adjudication and supression method for the aforementioned grype scanning above. Maintainers can author vex statements for non-applicable findings for which the next subsequent run of the scan will supress said findings.

  3. The VEX is packaged with the Init Package as a document file (any findings therein are directly applicable to both the Agent and CLI) as well as released as a release artifact for a given version.

  4. Make targets are provided for the workflows to use locally.

Related Issue

Fixes #3842

Checklist before merging

…ents

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
@brandtkeller brandtkeller self-assigned this Jul 1, 2026
@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy Preview for zarf-docs ready!

Name Link
🔨 Latest commit f86dcb1
🔍 Latest deploy log https://app.netlify.com/projects/zarf-docs/deploys/6a502bdb97674100083f1226
😎 Deploy Preview https://deploy-preview-5029--zarf-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Comment thread go.mod
go.yaml.in/yaml/v3 v3.0.4 // indirect
go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
go4.org v0.0.0-20230225012048-214862532bf5 // indirect
golang.org/x/telemetry v0.0.0-20260625142307-59b4966ccb57 // indirect

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: these dependency changes are a result of the tool directive below. It feels like a neat utility but I am not tied to this versus other installation methods.

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
@brandtkeller brandtkeller marked this pull request as ready for review July 1, 2026 23:14
@brandtkeller brandtkeller requested review from a team as code owners July 1, 2026 23:14

@AustinAbro321 AustinAbro321 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is cool to see. Some questions and comments

| 2 | `grype` on built binary | Indirect-dependency CVEs consumers face | Fails on **High or Critical** (un-suppressed) |

**Tier 1** surfaces vulnerabilities in code actually reached at runtime, with very few false
positives. It has no suppression mechanism; every finding must be addressed upstream.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"It has no suppression mechanism;"

What does suppression mean in this context? In this PR we are suppressing GHSA-fqw6-gf59-qr4w that seemingly has an equivalent for govulncheck. Does that fact that it's in the vex file mean that we're suppressing the govulncheck vulnerability as well?

Said another way, where should users look for a list of active Zarf CVEs? If this list exists will the equivalent govulncheck for GHSA-fqw6-gf59-qr4w be included or excluded from that list ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

govulncheck findings are project contributor/maintainer facing and also have no suppression mechanism (to flag findings as ignored). Grype findings are the list that zarf users will typically be using and of which we can point them to running against our artifacts with VEX statements.

Grype is working on closing the gap between govuln and current scanning - so I expect to see more overlap with grype being the more wholistic story.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, the "every finding must be addressed upstream" just made me feel like there is an action to take on every govulncheck finding even if the finding is not relevant.

Comment thread site/src/content/docs/contribute/vulnerability-management.mdx Outdated
When a CVE appears in an **indirect** dependency (marked `// indirect` in `go.mod` — present
only because a direct dependency requires it):

- **Do not** open a PR that bumps the indirect dependency solely to resolve the finding.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's rare, but I think there are cases where a critical should be updated directly. Using the replace directive will avoid any go.mod drift in that case.

I would also start this section with the evaluation bullet, then combine this point with the third point (prefer direct dependency upgrade, if deemed necessary patch with replace directive).

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

language could be more flexible for nuance

Comment thread zarf.yaml Outdated
@github-project-automation github-project-automation Bot moved this to In progress in Zarf Jul 6, 2026
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In progress

Development

Successfully merging this pull request may close these issues.

Enhancing CVE Identification & Reporting Process

2 participants