Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grype version of sub action to download grype pinned to 0.63.1 #246

Open
uli-f opened this issue Nov 7, 2023 · 0 comments
Open

grype version of sub action to download grype pinned to 0.63.1 #246

uli-f opened this issue Nov 7, 2023 · 0 comments

Comments

@uli-f
Copy link

uli-f commented Nov 7, 2023
edited

I use the download grype subaction to download grype and then run it locally (i.e., on the github runner):

- name: 💾 Install grype
  uses: anchore/scan-action/download-grype@v3
  id: grype_install

- name: 🕵️ Scan artifact with grype
  run: grype sbom:./build/reports/sbom.json --add-cpes-if-none --config ./grype.yaml --fail-on medium --only-fixed --output template --template grype.sbom.input.template > ./grype-output.txt

The downloaded grype version defaults to the pinned version in GrypeVersion.js. However, this points to a pretty old grype version, that is, 0.63.1.

My understanding is that I can specify the grype version myself in the download subaction. But then I also have to update it manually.

I'd very much appreciate a feature where the download subaction always downloads the latest grype release instead of either me (by specifying grype-version) or you guys (by specifying a grype version in GrypeVersion.js) manually taking care of this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@uli-f