[WIP] Replace trivy with grype

[priteau]

Assisted-By: Gemini 3 Flash

[gemini-code-assist]

Code Review

This pull request replaces Trivy with Grype and Syft for container image vulnerability scanning and SBOM generation. The changes include updating documentation, configuration files, and the scan-images.sh script to use the new tools and their respective output formats. Feedback focuses on improving the robustness of the shell script, specifically regarding YAML generation for Grype, handling edge cases in jq processing of scan results, and ensuring proper error handling when set -e is active.

[gemini-code-assist]

If both global_vulnerabilities and image_vulnerabilities are empty, the generated .grype.yaml will contain only ignore:. While valid YAML, some parsers might interpret this as a null value rather than an empty list, which could cause issues with Grype. It is safer to initialize it with an empty list ignore: [] or only create the file if there are vulnerabilities to ignore.

Suggested change

	echo "ignore:" > .grype.yaml
	echo "ignore: []" > .grype.yaml

[gemini-code-assist]

When multiple matches are grouped by vulnerability ID, they might correspond to different artifacts (packages). Using .[0].artifact.purl only captures the PURL of the first match in the group, potentially losing information about other affected packages. It is better to aggregate all unique PURLs in the group.

Suggested change

	.[0].artifact.purl,
	(map(.artifact.purl) | unique | join(";")),

[gemini-code-assist]

Similar to the PURL issue, different packages in the same vulnerability group might have different fixed versions. Additionally, if the fix object is null for a match, .[0].vulnerability.fix.versions will cause a jq error. Aggregating the versions and using the optional chaining operator ? is more robust.

Suggested change

	(.[0].vulnerability.fix.versions | join(";")),
	(map(.vulnerability.fix.versions[]?) | unique | join(";")),

[gemini-code-assist]

If vulnerability.severity is missing or null, ascii_upcase will throw a jq error. Providing a default value ensures the script continues to run even if the scan data is incomplete.

Suggested change

	(.[0].vulnerability.severity | ascii_upcase)
	(.[0].vulnerability.severity // "unknown" | ascii_upcase)

[gemini-code-assist]

Since set -e is active, if syft fails with a non-zero exit code, the script will terminate immediately. This prevents the custom error handling and log output starting at line 120 from being executed. Wrapping the command in an if statement or using || allows the script to catch the error and provide the intended diagnostic information.

Suggested change

	syft "$image" \
	-o spdx-json \
	> "$sbom" 2> "$sbom.log"
	if [ ! -s "$sbom" ]; then
	if ! syft "$image" -o spdx-json > "$sbom" 2> "$sbom.log" || [ ! -s "$sbom" ]; then
	(
	echo "ERROR: syft failed or didn't produce the sbom file $sbom for $image" 1>&2
	echo "==== syft log ===="
	cat "$sbom.log"
	) 1>&2
	exit 1
	else