From f914fdfffc64db5faa97b45adc97b047512d3de4 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Thu, 4 Mar 2021 11:54:22 -0500 Subject: [PATCH 1/5] change action default description for failing Signed-off-by: Alfredo Deza --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 44cd204d..925a6253 100644 --- a/action.yml +++ b/action.yml @@ -15,9 +15,9 @@ inputs: required: false default: 'false' fail-build: - description: 'Set to any value to cause build to fail upon failed anchore policy evaluation' + description: 'Set to false to avoid failing based on severity-cutoff. Default is to fail when severity-cutoff is reached (or surpassed)' required: false - default: 'false' + default: 'true' grype-version: description: 'Optionally, specify the Grype version (e.g. 0.1.0) to use instead of the default version' required: false From e09206187202c077fa53bfd661e359d7d3019925 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Thu, 4 Mar 2021 12:00:54 -0500 Subject: [PATCH 2/5] readme: update failures and severity Signed-off-by: Alfredo Deza --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ff6a8f07..9d8e4f28 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Supported packages and libraries: ## Container scanning -The simplest workflow for scanning a `localbuild/testimage` container, that does not fail the build: +The simplest workflow for scanning a `localbuild/testimage` container: ```yaml - name: Scan image @@ -59,7 +59,9 @@ To scan a directory, add the following step: The `path` key allows any valid path for the current project. The root of the path (`"."` in this example) is the repository root. ## Failing a build on vulnerability severity -To have the build step fail in cases where there are vulnerabilities with a specific severity level, then set the `fail-build` to `true`. By default, the severity level is `medium`, but this can be adjusted using the `severity-cutoff` field. +By default, if any vulnerability at `medium` or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the `severity-cutoff` field to one of `low`, `high`, or `critical`: + +With a different severity level: ```yaml - name: Scan image @@ -67,17 +69,17 @@ To have the build step fail in cases where there are vulnerabilities with a spec with: image: "localbuild/testimage:latest" fail-build: true + severity-cutoff: critical ``` -With a different severity level: +Optionally, change the `fail-build` field to `false` to avoid failing the build regardless of severity: ```yaml - name: Scan image uses: anchore/scan-action@v2 with: image: "localbuild/testimage:latest" - fail-build: true - severity-cutoff: critical + fail-build: false ``` From a46c3644736d598539b9441bf237e25aa1826857 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Thu, 4 Mar 2021 12:38:21 -0500 Subject: [PATCH 3/5] tests: set fail-build to true because of change in default behavior Signed-off-by: Alfredo Deza --- workflows/tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/workflows/tests.yml b/workflows/tests.yml index 1abe9779..83249d07 100644 --- a/workflows/tests.yml +++ b/workflows/tests.yml @@ -14,6 +14,7 @@ jobs: with: image: "python:3.8" debug: true + fail-build: false no-sources: runs-on: ubuntu-latest @@ -25,6 +26,7 @@ jobs: - uses: ./ with: debug: true + fail-build: false invalid-input: runs-on: ubuntu-latest @@ -38,6 +40,7 @@ jobs: image: "python:3.8" path: "/some/path" debug: true + fail-build: false # XXX Port these to get verified with tests # image-fail-build: From 3093eea288b091f02d6e2a4274b6ebea49d617cd Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Thu, 4 Mar 2021 13:59:46 -0500 Subject: [PATCH 4/5] github: do not fail the build Signed-off-by: Alfredo Deza --- .github/workflows/demo.yml | 2 ++ .github/workflows/sarifdemo.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml index 6a9b5fec..5414e14e 100644 --- a/.github/workflows/demo.yml +++ b/.github/workflows/demo.yml @@ -11,6 +11,7 @@ jobs: with: image: "alpine:latest" debug: true + fail-build: false test-directory: runs-on: ubuntu-latest @@ -21,3 +22,4 @@ jobs: path: "tests/python" debug: true severity-cutoff: "negligible" + fail-build: false diff --git a/.github/workflows/sarifdemo.yml b/.github/workflows/sarifdemo.yml index 743fa879..9947e178 100644 --- a/.github/workflows/sarifdemo.yml +++ b/.github/workflows/sarifdemo.yml @@ -16,6 +16,7 @@ jobs: image: "debian:8" debug: true acs-report-enable: true + fail-build: false #severity-cutoff: "Medium" - name: Inspect Generated SARIF @@ -41,6 +42,7 @@ jobs: path: "tests/python" debug: true acs-report-enable: true + fail-build: false #severity-cutoff: "Medium" - name: Inspect Generated SARIF From 099f8104204fee61d5b34f4f83c6c62c2eeb93b2 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Thu, 4 Mar 2021 16:13:41 -0500 Subject: [PATCH 5/5] tests: add context to failures Signed-off-by: Alfredo Deza --- tests/functional/test_images.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/functional/test_images.py b/tests/functional/test_images.py index 8179e8e2..64af53e6 100644 --- a/tests/functional/test_images.py +++ b/tests/functional/test_images.py @@ -14,7 +14,8 @@ class TestSmoke: # basic validation def test_zero_exit_status(self, image_output): lines = image_output.split() - assert lines[-1] == '0' + fail_context = '\n'.join(image_output.split('\n')[-20:]) + assert lines[-1] == '0', fail_context def test_found_vulnerabilities(self, image_output): assert "Failed minimum severity level. Found vulnerabilities with level medium or higher" in image_output