Merge remote-tracking branch 'upstream/main' into feat/cache-grype-db

anchore · Oct 4, 2024 · 875e690 · 875e690
2 parents efbc1f5 + a957c8d
commit 875e690
Show file tree

Hide file tree

Showing 9 changed files with 2,283 additions and 2,332 deletions.
diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
@@ -0,0 +1,50 @@
+name: Run build for dependabot PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/[email protected]
+
+      - uses: actions/checkout@dbb049abf0d677abbd7f7eee0375145b417fdd34 #v4.2.0
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Set up Node.js
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
+        with:
+          node-version-file: package.json
+
+      - name: Install dependencies
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
+        run: npm ci
+
+      - name: Run build
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
+        run: |
+          npm run build
+          npm run package
+
+      - name: Commit changes
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
+        id: commit
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1
+        with:
+          commit_message: "Update dist/ after build"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,11 +11,10 @@ jobs:
   build: # make sure build/ci work properly and there is no faked build ncc built scripts
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - run: node --version
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
-          node-version: 20
+          node-version-file: package.json
       - run: npm ci
       - run: npm run audit
       - run: npm run build
@@ -31,7 +30,7 @@ jobs:
         ports:
           - 5000:5000
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Build images
         run: |
           for distro in alpine centos debian; do
@@ -52,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           path: ./
 
@@ -86,7 +85,7 @@ jobs:
         output-format: [sarif, json, table]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - uses: ./
         id: scan
         with:

diff --git a/.github/workflows/update-grype-release.yml b/.github/workflows/update-grype-release.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/scan-action'
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Get latest Grype version
         id: latest-version
         env:
@@ -30,7 +30,7 @@ jobs:
         with:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
-      - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           signoff: true
           delete-branch: true

diff --git a/GrypeVersion.js b/GrypeVersion.js
@@ -1 +1 @@
-exports.GRYPE_VERSION = "v0.79.3";
+exports.GRYPE_VERSION = "v0.81.0";
diff --git a/README.md b/README.md
@@ -1,11 +1,12 @@
 # GitHub Action for Vulnerability Scanning
 
+**:zap: _Find threats in files or containers at lightning speed_ :zap:**
+
 [![Test Status][test-img]][test]
 [![GitHub release](https://img.shields.io/github/release/anchore/scan-action.svg)](https://github.com/anchore/scan-action/releases/latest)
-[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/anchore/scan-action/blob/main/LICENSE)
-[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack)](https://anchore.com/slack)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/anchore/scan-action/blob/main/LICENSE)
+[![Join our Discourse](https://img.shields.io/badge/Discourse-Join-blue?logo=discourse)](https://anchore.com/discourse)
 
-:zap: _Find threats in files or containers at lightning speed_ :zap:
 
 This is a GitHub Action for invoking the [Grype](https://github.com/anchore/grype) scanner and returning the vulnerabilities found,
 and optionally fail if a vulnerability is found with a configurable severity level.
@@ -132,6 +133,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `add-cpes-if-none`  | Specify whether to autogenerate missing CPEs.                                                                                                                                                                                                                    | `false`       |
 | `by-cve`            | Specify whether to orient results by CVE rather than GHSA.                                                                                                                                                                                                       | `false`       |
 | `vex`               | Specify a list of VEX documents to consider when producing scanning results.                                                                                                                                                                                     | `false`       |
+| `grype-version`     | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js).                                                                                                                                                     |               |
 
 ### Action Outputs
 
@@ -234,7 +236,7 @@ For contributing, see [Contributing](CONTRIBUTING.md).
 
 For documentation on Grype itself, including other output capabilities, see the [grype project](https://github.com/anchore/grype)
 
-Connect with the community directly on [slack](https://anchore.com/slack).
+Connect with the community directly on [Discourse](https://anchore.com/discourse).
 
 [test]: https://github.com/anchore/scan-action
 [test-img]: https://github.com/anchore/scan-action/workflows/Tests/badge.svg