chef · sandhi18 · Feb 26, 2026 · Mar 2, 2026
@@ -41,6 +41,21 @@ name: CI flow containing PR checks for main & release, v2
 on:
   workflow_call:
     inputs:
+      github-token:
+        description: 'GitHub token for private repo access (pass secrets.GH_TOKEN or secrets.GITHUB_TOKEN, auto-detected if not provided)'
+        required: false
+        type: string
+        default: ''
+      github-event-name:
+        description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)'
+        required: false
+        type: string
+        default: ''
+      github-branch-name:
+        description: 'GitHub branch name (pass github.ref_name from calling workflow for branch-specific logic)'
+        required: false
+        type: string
+        default: ''
       application:
         # NEW IN 1.0.7 
         description: 'Application set in repository custom properties, typically primaryApplication'
@@ -146,6 +161,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-image-skip-aws:
+        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
+        required: false
+        type: boolean
+        default: false
       build:
         description: 'CI Build (language-specific)'
         required: false
@@ -474,6 +494,7 @@ on:
       #   type: string
 
 env:
+  GITHUB_TOKEN_TO_USE: ${{ inputs.github-token != '' && inputs.github-token || secrets.GH_TOKEN != '' && secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
   PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default'   # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
   REPO_VISIBILITY: ${{ github.event.repository.visibility }}
   REPO_NAME: ${{ github.event.repository.name }}
@@ -509,7 +530,7 @@ jobs:
           echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
         continue-on-error: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN_TO_USE }} 
 
       - name: generate-filename-slug
         # description: Generate a simple slug based on repo and date for use in any output artifacts
@@ -713,7 +734,7 @@ jobs:
         if: inputs.language == 'go'
         env:
           GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
       - name: Go linting and security checks  
         if: inputs.language == 'go'
         run: echo "Running Go linting and security checks"
@@ -779,7 +800,7 @@ jobs:
   run-trufflehog:
     name: 'Trufflehog scan'
     if: ${{ inputs.perform-trufflehog-scan }}
-    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
+    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@sandhi/fixes-for-chef-org
     needs: checkout
     with:
       fail-trufflehog-on-secrets-found: ${{ inputs.fail-trufflehog-on-secrets-found }}
@@ -884,12 +905,13 @@ jobs:
   run-grype-image:
     name: 'Grype Docker image scan'
     if: ${{ inputs.perform-grype-image-scan }}
-    uses: chef/common-github-actions/.github/workflows/grype.yml@main
+    uses: chef/common-github-actions/.github/workflows/grype.yml@sandhi/fixes-for-chef-org
     needs: checkout
     secrets: inherit
     with:
       fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
       fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
+      grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
 
     # run-srcclr:
     #   if: ${{ inputs.perform-srcclr-scan == true }}
@@ -922,7 +944,7 @@ jobs:
         if: inputs.language == 'go'
         env:
           GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
       - name: 'Go build'
         if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
         continue-on-error: true
@@ -1194,7 +1216,7 @@ jobs:
           fetch-depth: 0
 
       - name: Configure git for private
-        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+        run: git config --global url."https://${{ env.GITHUB_TOKEN_TO_USE }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install build tools for Erlang
         if: inputs.language == 'erlang'
@@ -1291,7 +1313,11 @@ jobs:
           # include_diagnostics: ${{ inputs.polaris-diagnostic }}
           # mark_build_status: ${{ inputs.polaris-mark-build-status != '' && inputs.polaris-mark-build-status || null }}
           # pr-comment-severities: "CRITICAL,HIGH"
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          polaris_prComment_enabled: ${{ inputs.github-event-name == 'pull_request' && 'true' || 'false' }}
+          polaris_branch_parent_name: ${{ inputs.github-event-name == 'pull_request' && 'main' || null }}
+          polaris_branch_name: ${{ inputs.github-event-name == 'pull_request' && inputs.github-branch-name || null }} # for pull requests, this will be the source branch; for pushes, this will be the branch being pushed to
+          polaris_prComment_severities: "CRITICAL,HIGH"
+          github_token: ${{ env.GITHUB_TOKEN_TO_USE }}
 
           # options from Jan's (FlowMon. GitLab)
           #   polaris_prComment_enabled: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}

@@ -17,6 +17,11 @@ on:
         required: false
         type: boolean
         default: false
+      grype-image-skip-aws:
+        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   grype-scan:
@@ -42,6 +47,7 @@ jobs:
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ !inputs.grype-image-skip-aws }}
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -50,6 +56,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
+        if: ${{ !inputs.grype-image-skip-aws }}
         uses: aws-actions/amazon-ecr-login@v2
 
       - name: Scan with Grype
@@ -133,9 +140,9 @@ jobs:
           fi
 
           # Extract vulnerability counts by severity from multiple JSON documents
-          # Use jq -s to slurp all JSON objects and combine matches
-          CRITICAL_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "Critical")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
-          HIGH_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "High")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
+          # Use jq -s to slurp, deduplicate by CVE+package+version, then count
+          CRITICAL_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "Critical")] | unique_by(.vulnerability.id + .artifact.name + .artifact.version) | length' "$JSON_FILE" 2>/dev/null || echo "0")
+          HIGH_COUNT=$(jq -s '[.[] | .matches[]? | select(.vulnerability.severity == "High")] | unique_by(.vulnerability.id + .artifact.name + .artifact.version) | length' "$JSON_FILE" 2>/dev/null || echo "0")
 
           echo ""
           echo "============================================"

@@ -3,6 +3,8 @@
 name: Trufflehog secret scan
 
 on:
+  push:
+  pull_request:
   workflow_call:
     inputs:
       fail-trufflehog-on-secrets-found:
@@ -22,7 +24,7 @@ jobs:
 
       - name: TruffleHog secret scan
         id: trufflehog-scan
-        uses: trufflesecurity/trufflehog@main
+        uses: prgs-community/githubactions-reusableworkflows/actions/trufflehog@latest
         with:
           path: ./
           extra_args: --only-verified