Upgrade to grype 0.16.0 and add tests #102

.github/workflows/test.yml

@@ -5,14 +5,47 @@ on: [push, pull_request]
 jobs:
   test:
     runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
-    - uses: actions/checkout@v2
-    - run: npm ci
-    - run: npm audit --production
-    - run: npm test -- --testPathIgnorePatterns action.test.js
+      - uses: actions/checkout@v2
+      - run: echo $(uname -a)
+      - name: Check for npm (so make test works)
+        run: |
+          if ! [ -x "$(command -v npm)" ]; then
+            sudo apt update
+            sudo apt -y upgrade
+            sudo apt update
+            sudo apt -y install curl dirmngr apt-transport-https lsb-release ca-certificates
+            curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
+            sudo apt -y install nodejs
+            sudo apt -y  install gcc g++ make
+          fi
+      - name: Build images
+        run: |
+          for distro in alpine centos debian; do
+            docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage
+            docker push localhost:5000/match-coverage/$distro:latest
+          done
+      - name: Inspect
+        run: |
+          docker images -a
+          for distro in alpine centos debian; do
+            docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest
+          done
+      - run: npm ci
+      - run: npm audit --production
+      - run: npm test
 
   functional:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - run: make check
+      - uses: actions/checkout@v2
+      - run: make check
+      - uses: actions/upload-artifact@v2
+        with:
+          name: functional-test-output
+          path: tests/functional/output/*

.gitignore

@@ -108,8 +108,13 @@ typings/
 
 # IDE files/dirs
 .vscode
+.idea
 
 # Exclude python test artifacts
 /act
 /venv/*
 /tests/functional/__pycache__/*
+
+# Action temporary files
+results.sarif
+vulnerabilities.json

Makefile

@@ -47,6 +47,22 @@ bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./
 	# prep temp dirs
 	mkdir -p tests/functional/output
 
+.PHONY: run-docker-registry
+run-docker-registry: bootstrap
+	# start a local registry
+	docker run -d -p 5000:5000 --name registry registry:2 | echo
+
+.PHONY: test
+test: run-docker-registry bootstrap
+	npm run build
+	./act -v -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:js-latest -j test
+
+.PHONY: wipe-docker
+wipe-docker:
+	docker kill $(shell docker ps -a -q) | echo
+	docker image prune -af
+	docker container prune -f
+	docker volume prune -f
 
 %: ## do a local build
 	scripts/local.sh "$*"

README.md

@@ -1,6 +1,7 @@
 [![Test Status][test-img]][test]
 
 # GitHub Action for vulnerability Scanning
+
 :zap: _Find threats in files or containers at lightning speed_ :zap:
 
 This is a GitHub Action for invoking the [grype](https://github.com/anchore/grype) scanner and returning the vulnerabilities found,
@@ -10,29 +11,29 @@ Use this in your workflows to quickly verify files or containers' content after
 
 The action invokes the `grype` command-line tool, with these benefits:
 
-* Runs locally, without sending data outbound - no credentials required!
-* Speedy scan operations
-* Scans both paths and container images
-* Easy failure evaluation depending on vulnerability severity
+- Runs locally, without sending data outbound - no credentials required!
+- Speedy scan operations
+- Scans both paths and container images
+- Easy failure evaluation depending on vulnerability severity
 
 The example workflows have lots of usage examples for scanning both containers and directories.
 
 By default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:
 
 Supported Linux Distributions:
 
-* Alpine
-* BusyBox
-* CentOS and RedHat
-* Debian and Debian-based distros like Ubuntu
+- Alpine
+- BusyBox
+- CentOS and RedHat
+- Debian and Debian-based distros like Ubuntu
 
 Supported packages and libraries:
 
-* Ruby Bundles
-* Python Wheel, Egg, `requirements.txt`
-* JavaScript NPM/Yarn
-* Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
-* Go modules
+- Ruby Bundles
+- Python Wheel, Egg, `requirements.txt`
+- JavaScript NPM/Yarn
+- Java JAR/EAR/WAR, Jenkins plugins JPI/HPI
+- Go modules
 
 ## Container scanning
 
@@ -60,63 +61,62 @@ The simplest workflow for scanning a `localbuild/testimage` container:
 To scan a directory, add the following step:
 
 ```yaml
- - name: Scan current project
-   uses: anchore/scan-action@v2
-   with:
-     path: "."
+- name: Scan current project
+  uses: anchore/scan-action@v2
+  with:
+    path: "."
 ```
 
 The `path` key allows any valid path for the current project. The root of the path (`"."` in this example) is the repository root.
 
 ## Failing a build on vulnerability severity
+
 By default, if any vulnerability at `medium` or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the `severity-cutoff` field to one of `low`, `high`, or `critical`:
 
 With a different severity level:
 
 ```yaml
- - name: Scan image
-   uses: anchore/scan-action@v2
-   with:
-     image: "localbuild/testimage:latest"
-     fail-build: true
-     severity-cutoff: critical
+- name: Scan image
+  uses: anchore/scan-action@v2
+  with:
+    image: "localbuild/testimage:latest"
+    fail-build: true
+    severity-cutoff: critical
 ```
 
 Optionally, change the `fail-build` field to `false` to avoid failing the build regardless of severity:
 
 ```yaml
- - name: Scan image
-   uses: anchore/scan-action@v2
-   with:
-     image: "localbuild/testimage:latest"
-     fail-build: false
+- name: Scan image
+  uses: anchore/scan-action@v2
+  with:
+    image: "localbuild/testimage:latest"
+    fail-build: false
 ```
 
-
 ### Action Inputs
 
 The only required key is `image`; all the other keys are optional. These are all the available keys to configure this action, along with its defaults:
 
-| Input Name | Description | Default Value |
-|-----------------|-------------|---------------|
-| `image` | The image to scan | N/A |
-| `debug` | Verbose logging output | `false` |
-| `fail-build` | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `"medium"` and can be set with `severity-cutoff`.  | `false` |
-| `grype-version` | An optional parameter to specify a specific version of `grype` to use for the scan. Default is the version locked to the scan-action release | `0.1.0` |
-| `acs-report-enable` | Optionally, enable the feature that causes a result.sarif report to be generated after successful action execution.  This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report. | `false` |
-| `severity-cutoff` | With ACS reporting enabled, optionally specify the minimum vulnerability severity to trigger an "error" level ACS result.  Valid choices are "negligible", "low", "medium", "high" and "critical".  Any vulnerability with a severity less than this value will lead to a "warning" result.  Default is "medium". | `"medium"` |
+| Input Name          | Description                                                                                                                                                                                                                                                                                                    | Default Value |
+| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
+| `image`             | The image to scan                                                                                                                                                                                                                                                                                              | N/A           |
+| `debug`             | Verbose logging output                                                                                                                                                                                                                                                                                         | `false`       |
+| `fail-build`        | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `"medium"` and can be set with `severity-cutoff`.                                                                                                                                                                 | `false`       |
+| `grype-version`     | An optional parameter to specify a specific version of `grype` to use for the scan. Default is the version locked to the scan-action release                                                                                                                                                                   | `0.16.0`      |
+| `acs-report-enable` | Optionally, enable the feature that causes a result.sarif report to be generated after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report.                                                | `false`       |
+| `severity-cutoff`   | With ACS reporting enabled, optionally specify the minimum vulnerability severity to trigger an "error" level ACS result. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `"medium"`    |
 
 ### Action Outputs
 
-| Output Name | Description | Type |
-|-----------------|-------------|----------|
+| Output Name     | Description                                                         | Type   |
+| --------------- | ------------------------------------------------------------------- | ------ |
 | vulnerabilities | Path to a JSON file with the list of vulnerabilities found in image | string |
-| sarif | Path to a SARIF report file | string |
+| sarif           | Path to a SARIF report file                                         | string |
 
 As a result of the action, you'll get a JSON file in the `anchore-reports` directory in the workspace:
 
-* `vulnerabilities.json` - Vulnerabilities found in the image
-
+- `vulnerabilities.json` - Vulnerabilities found in the image
 
 ### Example Workflows
 
@@ -129,15 +129,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the container image
-      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
-    - uses: anchore/scan-action@v2
-      with:
-        image: "localbuild/testimage:latest"
-        fail-build: true
-    - name: grype scan JSON results
-      run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done
+      - uses: actions/checkout@v2
+      - name: Build the container image
+        run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+      - uses: anchore/scan-action@v2
+        with:
+          image: "localbuild/testimage:latest"
+          fail-build: true
+      - name: grype scan JSON results
+        run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done
 ```
 
 Same example as above, but with Automated Code Scanning (ACS) feature enabled - with this example, the action will generate a SARIF report, which can be uploaded and then displayed as a Code Scanning Report in the GitHub UI.
@@ -151,25 +151,25 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the Container image
-      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
-    - uses: anchore/scan-action@v2
-      id: scan
-      with:
-        image: "localbuild/testimage:latest"
-        acs-report-enable: true
-    - name: upload Anchore scan SARIF report
-      uses: github/codeql-action/upload-sarif@v1
-      with:
-        sarif_file: ${{ steps.scan.outputs.sarif }}
+      - uses: actions/checkout@v2
+      - name: Build the Container image
+        run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+      - uses: anchore/scan-action@v2
+        id: scan
+        with:
+          image: "localbuild/testimage:latest"
+          acs-report-enable: true
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
 ```
 
 Optionally, you can add a step to inspect the SARIF report produced:
 
 ```yaml
-    - name: Inspect action SARIF report
-      run: cat ${{ steps.scan.outputs.sarif }}
+- name: Inspect action SARIF report
+  run: cat ${{ steps.scan.outputs.sarif }}
 ```
 
 ## Contributing
@@ -178,15 +178,14 @@ We love contributions, feedback, and bug reports. For issues with the invocation
 
 For contributing, see [Contributing](CONTRIBUTING.rst).
 
-
 ## More Information
+
 For documentation on Grype itself, including other output capabilities, see the [grype project](https://github.com/anchore/grype)
 
 Connect with the community directly on [slack](https://anchore.com/slack). These channels from Anchore's toolbox project are ideal for engaging development of help-related discussions:
 
-* toolbox-dev
-* toolbox-help
-
+- toolbox-dev
+- toolbox-help
 
 [test]: https://github.com/anchore/scan-action
 [test-img]: https://github.com/anchore/scan-action/workflows/Tests/badge.svg