Security Scans¶

Drape ingests security scan results and tracks vulnerabilities across your repositories. It detects new and resolved CVEs, tracks severity breakdowns, and enforces SLA-based remediation timelines.

Supported Formats¶

Format	Description
`sarif`	SARIF JSON (Grype, Trivy, Snyk, etc.)
`cyclonedx`	CycloneDX JSON (pip-audit, npm audit, etc.)

How It Works¶

Run a vulnerability scanner that outputs SARIF or CycloneDX
Upload the results to Drape via the GitHub Action
Drape tracks vulnerabilities, detects new/resolved CVEs, and posts PR comments

Image Scans¶

Scan container images for known vulnerabilities:

- name: Run Grype scan
  uses: anchore/scan-action@v6
  with:
    image: my-app:latest
    output-format: sarif
    output-file: scan.sarif

- name: Upload scan results
  uses: drape-io/drape-action@v2
  if: always()
  continue-on-error: true
  with:
    command: scan
    file: scan.sarif
    format: sarif
    scan-name: my-app
    scan-tag: latest
    scan-type: image
    fail-on-vulnerabilities: true
    api-key: ${{ secrets.DRAPE_API_KEY }}

You can also use glob patterns to upload multiple scan files at once:

file: "test-results/scan*.sarif"

Dependency Scans¶

Scan your project's dependencies for known vulnerabilities. These scanners typically output CycloneDX:

- name: Run pip-audit
  run: |
    pip-audit --format cyclonedx-json --output pip-audit.cdx.json || true

- name: Upload dependency scan
  uses: drape-io/drape-action@v2
  if: always()
  continue-on-error: true
  with:
    command: scan
    file: pip-audit.cdx.json
    format: cyclonedx
    scan-name: pip-audit
    scan-type: dependency
    fail-on-vulnerabilities: true
    api-key: ${{ secrets.DRAPE_API_KEY }}

Combining Image + Dependency Scans¶

For comprehensive security coverage, run both scan types in the same job. Each upload is tracked separately:

# Image vulnerabilities (Grype on Docker image)
- uses: drape-io/drape-action@v2
  with:
    command: scan
    file: "test-results/scan*.sarif"
    format: sarif
    scan-name: my-app
    scan-tag: ci
    scan-type: image
    fail-on-vulnerabilities: true
    api-key: ${{ secrets.DRAPE_API_KEY }}

# Dependency vulnerabilities (pip-audit)
- uses: drape-io/drape-action@v2
  with:
    command: scan
    file: test-results/pip-audit.cdx.json
    format: cyclonedx
    scan-name: pip-audit
    scan-type: dependency
    fail-on-vulnerabilities: true
    api-key: ${{ secrets.DRAPE_API_KEY }}

Scan Types¶

Type	Description
`image`	Container image scan (e.g., Grype, Trivy on a Docker image)
`dependency`	Dependency scan (e.g., pip-audit, npm audit, Snyk)

Failing on Vulnerabilities¶

Set fail-on-vulnerabilities: 'true' to make the action exit non-zero when unsuppressed vulnerabilities are found. Control the threshold with fail-on-severity:

Severity	Fails on
`critical`	Critical only
`high`	Critical + High
`medium`	Critical + High + Medium (default)
`low`	All severities
`any`	Any vulnerability

PR Comments¶

The action posts a PR comment with:

Severity breakdown table (Critical / High / Medium / Low)
New vulnerabilities introduced in the PR
Resolved vulnerabilities
NVD links for each CVE
SLA violation warnings

Suppression¶

Known vulnerabilities can be suppressed in the Drape UI — for example, if a CVE doesn't apply to your usage or a fix isn't available yet. Suppressed vulnerabilities don't trigger fail-on-vulnerabilities.