Add comprehensive package scanning support for Habitat, native, and modern installers#26
Merged
brianLoomis merged 1 commit intomainfrom Feb 26, 2026
Merged
Conversation
peter-at-progress
requested review from
brianLoomis and
sean-sype-simmons
as code owners
…odern installers - Implement Habitat package scanning with direct and transitive dependency support - Add Grype and Trivy vulnerability scanning with caching and retry logic - Support for Chef Infra Client, chef-ice, and other native/modern packages - Add CINC package scanning support - Implement download retry logic from Chef acceptance site - Add package size tracking and metadata generation - Support for HAB_AUTH_TOKEN for private channel access - Add full_scan mode for complete product rescanning - Include dpkg extraction support for tarballs - Add version matching for stable and current releases Signed-off-by: Peter Arsenault <parsenau@progress.com>
peter-at-progress
force-pushed
the
feature/hab-scan-workflow
branch
from
00a5523 to
b9aeeac
Compare
brianLoomis
approved these changes
Feb 26, 2026
Contributor
brianLoomis
left a comment
brianLoomis
left a comment
There was a problem hiding this comment.
make sure to test on a good sample of repos - chef-vault is a good Ruby one, habitat-sh/habitat is a good Rust one, chef360 APIs are in progress-platform-services org in GH. Hab plans are generally in https://github.com/habitat-sh/enterprise-packages/ or https://github.com/habitat-sh/foundational-packages (on the base-2025 branch)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds comprehensive vulnerability scanning capabilities for Chef packages across multiple distribution formats. It extends the chef-download-grype-snapshot GitHub Action to support Habitat packages (both direct and transitive dependencies), native installers (RPM, DEB, MSI), and modern package managers (dpkg-extracted tarballs).
Key improvements include:
This enables comprehensive security scanning across the entire Chef product portfolio.
Related Issue
N/A - Feature enhancement for security scanning infrastructure
Types of changes
Checklist:
Gemfile.lockhas changed, I have used--conservativeto do it and included the full output in the Description above.