microsoft · WilliamBerryiii · Apr 1, 2026 · Mar 27, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -156,6 +156,8 @@ jobs:
       contents: read
       security-events: write
     uses: ./.github/workflows/security-scan.yml
+    with:
+      grype-soft-fail: true
 
   # YAML and container linting
   yaml-lint:

@@ -5,19 +5,28 @@
 # and vulnerabilities. Uploads SARIF reports to the GitHub Security tab.
 #
 # Parameters:
-# - soft-fail: When true, security violations are reported but do not fail the workflow (default: false)
+# - soft-fail: When true, all security violations are reported but do not fail the workflow (default: false)
+# - grype-soft-fail: When true, Grype vulnerability findings warn instead of fail while
+#   Gitleaks and Secretlint remain hard-fail. Use in PR validation where dependency-review-action
+#   provides delta-aware vulnerability checking. (default: false)
 #
 # Usage Examples:
 # ```yaml
 # # Basic usage:
 # security-scan:
 #   uses: ./.github/workflows/security-scan.yml
 #
-# # With soft-fail:
+# # With soft-fail (all scanners):
 # security-scan:
 #   uses: ./.github/workflows/security-scan.yml
 #   with:
 #     soft-fail: true
+#
+# # With grype-soft-fail (Grype warns, Gitleaks/Secretlint still fail):
+# security-scan:
+#   uses: ./.github/workflows/security-scan.yml
+#   with:
+#     grype-soft-fail: true
 # ```
 ---
 name: Security Scan
@@ -30,6 +39,11 @@ on:  # yamllint disable-line rule:truthy
         required: false
         type: boolean
         default: false
+      grype-soft-fail:
+        description: 'Whether Grype findings warn instead of fail (Gitleaks/Secretlint remain hard-fail)'
+        required: false
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -150,10 +164,24 @@ jobs:
         shell: bash
         env:
           SOFT_FAIL: ${{ inputs.soft-fail }}
+          GRYPE_SOFT_FAIL: ${{ inputs.grype-soft-fail }}
         run: |
-          if [ "$SOFT_FAIL" = "true" ]; then
-            echo "::warning::Security scan violations found (soft-fail enabled)"
-          else
-            echo "::error::Security scan violations found"
-            exit 1
+          HARD_FAILURE="false"
+          if [ "${GITLEAKS_FAILED:-}" = "true" ] || [ "${SECRETLINT_FAILED:-}" = "true" ]; then
+            HARD_FAILURE="true"
+          fi
+          if [ "${GRYPE_FAILED:-}" = "true" ]; then
+            if [ "$GRYPE_SOFT_FAIL" = "true" ]; then
+              echo "::warning::Grype vulnerabilities found (grype-soft-fail enabled, Gitleaks/Secretlint remain enforced)"
+            else
+              HARD_FAILURE="true"
+            fi
+          fi
+          if [ "$HARD_FAILURE" = "true" ]; then
+            if [ "$SOFT_FAIL" = "true" ]; then
+              echo "::warning::Security scan violations found (soft-fail enabled)"
+            else
+              echo "::error::Security scan violations found"
+              exit 1
+            fi
           fi
@@ -1,18 +1,2 @@
 ---
 fail-on-severity: high
-ignore:
-  # atty crate - LOW severity
-  # Justification: Crate is unmaintained but functional with no known exploits.
-  # The atty crate is used transitively and does not pose an active security risk.
-  # References: GHSA-g98v-hv3f-hcfr, RUSTSEC-2021-0145
-  - vulnerability: GHSA-g98v-hv3f-hcfr
-  - vulnerability: RUSTSEC-2021-0145
-
-  # aws-lc-sys 0.32.3 - HIGH severity (transitive Rust crate)
-  # Justification: Vulnerabilities in aws-lc-sys used transitively by the Rust
-  # HTTP connector broker. Update to 0.38.0 should be addressed in a separate
-  # dependency PR.
-  # References: GHSA-65p9-r9h6-22vj, GHSA-hfpc-8r3f-gw53, GHSA-vw5v-4f2q-w9xf
-  - vulnerability: GHSA-65p9-r9h6-22vj
-  - vulnerability: GHSA-hfpc-8r3f-gw53
-  - vulnerability: GHSA-vw5v-4f2q-w9xf