From 8ae9b888f09ecb2ee143d28989fa69ddafd3069b Mon Sep 17 00:00:00 2001
From: sandhi <sagarwal@progress.com>
Date: Thu, 26 Feb 2026 13:18:53 +0530
Subject: [PATCH 1/2] Fixes in grype

Signed-off-by: sandhi <sagarwal@progress.com>
---
 .github/workflows/ci-main-pull-request.yml | 38 ++++++++++++++++++----
 .github/workflows/grype.yml                | 13 ++++++--
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml
index 9669dac..57229e6 100644
--- a/.github/workflows/ci-main-pull-request.yml
+++ b/.github/workflows/ci-main-pull-request.yml
@@ -41,6 +41,21 @@ name: CI flow containing PR checks for main & release, v2
 on:
   workflow_call:
     inputs:
+      github-token:
+        description: 'GitHub token for private repo access (pass secrets.GH_TOKEN or secrets.GITHUB_TOKEN, auto-detected if not provided)'
+        required: false
+        type: string
+        default: ''
+      github-event-name:
+        description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)'
+        required: false
+        type: string
+        default: ''
+      github-branch-name:
+        description: 'GitHub branch name (pass github.ref_name from calling workflow for branch-specific logic)'
+        required: false
+        type: string
+        default: ''
       application:
         # NEW IN 1.0.7 
         description: 'Application set in repository custom properties, typically primaryApplication'
@@ -146,6 +161,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-image-skip-aws:
+        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
+        required: false
+        type: boolean
+        default: false
       build:
         description: 'CI Build (language-specific)'
         required: false
@@ -474,6 +494,7 @@ on:
       #   type: string
         
 env:
+  GITHUB_TOKEN_TO_USE: ${{ inputs.github-token != '' && inputs.github-token || secrets.GH_TOKEN != '' && secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
   PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default'   # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
   REPO_VISIBILITY: ${{ github.event.repository.visibility }}
   REPO_NAME: ${{ github.event.repository.name }}
@@ -509,7 +530,7 @@ jobs:
           echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
         continue-on-error: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN_TO_USE }} 
           
       - name: generate-filename-slug
         # description: Generate a simple slug based on repo and date for use in any output artifacts
@@ -713,7 +734,7 @@ jobs:
         if: inputs.language == 'go'
         env:
           GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
       - name: Go linting and security checks  
         if: inputs.language == 'go'
         run: echo "Running Go linting and security checks"
@@ -884,12 +905,13 @@ jobs:
   run-grype-image:
     name: 'Grype Docker image scan'
     if: ${{ inputs.perform-grype-image-scan }}
-    uses: chef/common-github-actions/.github/workflows/grype.yml@main
+    uses: chef/common-github-actions/.github/workflows/grype.yml@sandhi/fixes-for-chef-org
     needs: checkout
     secrets: inherit
     with:
       fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
       fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
+      grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
   
     # run-srcclr:
     #   if: ${{ inputs.perform-srcclr-scan == true }}
@@ -922,7 +944,7 @@ jobs:
         if: inputs.language == 'go'
         env:
           GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
       - name: 'Go build'
         if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
         continue-on-error: true
@@ -1194,7 +1216,7 @@ jobs:
           fetch-depth: 0
       
       - name: Configure git for private
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install build tools for Erlang
         if: inputs.language == 'erlang'
@@ -1291,7 +1313,11 @@ jobs:
           # include_diagnostics: ${{ inputs.polaris-diagnostic }}
           # mark_build_status: ${{ inputs.polaris-mark-build-status != '' && inputs.polaris-mark-build-status || null }}
           # pr-comment-severities: "CRITICAL,HIGH"
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          polaris_prComment_enabled: ${{ inputs.github-event-name == 'pull_request' && 'true' || 'false' }}
+          polaris_branch_parent_name: ${{ inputs.github-event-name == 'pull_request' && 'main' || null }}
+          polaris_branch_name: ${{ inputs.github-event-name == 'pull_request' && inputs.github-branch-name || null }} # for pull requests, this will be the source branch; for pushes, this will be the branch being pushed to
+          polaris_prComment_severities: "CRITICAL,HIGH"
+          github_token: ${{ env.GITHUB_TOKEN_TO_USE }}
           
           # options from Jan's (FlowMon. GitLab)
           #   polaris_prComment_enabled: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}
diff --git a/.github/workflows/grype.yml b/.github/workflows/grype.yml
index 97c5f23..f9d5931 100644
--- a/.github/workflows/grype.yml
+++ b/.github/workflows/grype.yml
@@ -17,6 +17,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-image-skip-aws:
+        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   grype-scan:
@@ -42,6 +47,7 @@ jobs:
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ !inputs.grype-image-skip-aws }}
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -50,6 +56,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
+        if: ${{ !inputs.grype-image-skip-aws }}
         uses: aws-actions/amazon-ecr-login@v2
 
       - name: Scan with Grype
@@ -133,9 +140,9 @@ jobs:
           fi
           
           # Extract vulnerability counts by severity from multiple JSON documents
-          # Use jq -s to slurp all JSON objects and combine matches
-          CRITICAL_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "Critical")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
-          HIGH_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "High")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
+          # Use jq -s to slurp, deduplicate by CVE+package+version, then count
+          CRITICAL_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "Critical")] | unique_by(.vulnerability.id + .artifact.name + .artifact.version) | length' "$JSON_FILE" 2>/dev/null || echo "0")
+          HIGH_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "High")] | unique_by(.vulnerability.id + .artifact.name + .artifact.version) | length' "$JSON_FILE" 2>/dev/null || echo "0")
           
           echo ""
           echo "============================================"

From 36d9e75c8c91edd0212976ae659949c77f0c597a Mon Sep 17 00:00:00 2001
From: Vipin Yadav <vipin.yadav@progress.com>
Date: Mon, 2 Mar 2026 16:11:44 +0530
Subject: [PATCH 2/2] test

Signed-off-by: Vipin Yadav <vipin.yadav@progress.com>
---
 .github/workflows/ci-main-pull-request.yml | 2 +-
 .github/workflows/trufflehog.yml           | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml
index 57229e6..91ef63d 100644
--- a/.github/workflows/ci-main-pull-request.yml
+++ b/.github/workflows/ci-main-pull-request.yml
@@ -800,7 +800,7 @@ jobs:
   run-trufflehog:
     name: 'Trufflehog scan'
     if: ${{ inputs.perform-trufflehog-scan }}
-    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
+    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@sandhi/fixes-for-chef-org
     needs: checkout
     with:
       fail-trufflehog-on-secrets-found: ${{ inputs.fail-trufflehog-on-secrets-found }}
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index 520d3c1..8cff7ef 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -3,6 +3,8 @@
 name: Trufflehog secret scan
 
 on:
+  push:
+  pull_request:
   workflow_call:
     inputs:
       fail-trufflehog-on-secrets-found:
@@ -22,7 +24,7 @@ jobs:
 
       - name: TruffleHog secret scan
         id: trufflehog-scan
-        uses: trufflesecurity/trufflehog@main
+        uses: prgs-community/githubactions-reusableworkflows/actions/trufflehog@latest
         with:
           path: ./
           extra_args: --only-verified