change default behavior so action fails on medium (and higher) severities

.github/workflows/demo.yml

@@ -11,6 +11,7 @@ jobs:
       with:
         image: "alpine:latest"
         debug: true
+        fail-build: false
 
   test-directory:
     runs-on: ubuntu-latest
@@ -21,3 +22,4 @@ jobs:
         path: "tests/python"
         debug: true
         severity-cutoff: "negligible"
+        fail-build: false

.github/workflows/sarifdemo.yml

@@ -16,6 +16,7 @@ jobs:
         image: "debian:8"
         debug: true
         acs-report-enable: true
+        fail-build: false
         #severity-cutoff: "Medium"
 
     - name: Inspect Generated SARIF
@@ -41,6 +42,7 @@ jobs:
         path: "tests/python"
         debug: true
         acs-report-enable: true
+        fail-build: false
         #severity-cutoff: "Medium"
 
     - name: Inspect Generated SARIF

README.md

@@ -36,7 +36,7 @@ Supported packages and libraries:
 
 ## Container scanning
 
-The simplest workflow for scanning a `localbuild/testimage` container, that does not fail the build:
+The simplest workflow for scanning a `localbuild/testimage` container:
 
 ```yaml
  - name: Scan image
@@ -59,25 +59,27 @@ To scan a directory, add the following step:
 The `path` key allows any valid path for the current project. The root of the path (`"."` in this example) is the repository root.
 
 ## Failing a build on vulnerability severity
-To have the build step fail in cases where there are vulnerabilities with a specific severity level, then set the `fail-build` to `true`. By default, the severity level is `medium`, but this can be adjusted using the `severity-cutoff` field.
+By default, if any vulnerability at `medium` or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the `severity-cutoff` field to one of `low`, `high`, or `critical`:
+
+With a different severity level:
 
 ```yaml
  - name: Scan image
    uses: anchore/scan-action@v2
    with:
      image: "localbuild/testimage:latest"
      fail-build: true
+     severity-cutoff: critical
 ```
 
-With a different severity level:
+Optionally, change the `fail-build` field to `false` to avoid failing the build regardless of severity:
 
 ```yaml
  - name: Scan image
    uses: anchore/scan-action@v2
    with:
      image: "localbuild/testimage:latest"
-     fail-build: true
-     severity-cutoff: critical
+     fail-build: false
 ```
 
 

action.yml

@@ -15,9 +15,9 @@ inputs:
     required: false
     default: 'false'
   fail-build:
-    description: 'Set to any value to cause build to fail upon failed anchore policy evaluation'
+    description: 'Set to false to avoid failing based on severity-cutoff. Default is to fail when severity-cutoff is reached (or surpassed)'
     required: false
-    default: 'false'
+    default: 'true'
   grype-version:
     description: 'Optionally, specify the Grype version (e.g. 0.1.0) to use instead of the default version'
     required: false

tests/functional/test_images.py

@@ -14,7 +14,8 @@ class TestSmoke:
     # basic validation
     def test_zero_exit_status(self, image_output):
         lines = image_output.split()
-        assert lines[-1] == '0'
+        fail_context = '\n'.join(image_output.split('\n')[-20:])
+        assert lines[-1] == '0', fail_context
 
     def test_found_vulnerabilities(self, image_output):
         assert "Failed minimum severity level. Found vulnerabilities with level medium or higher" in image_output

workflows/tests.yml

@@ -14,6 +14,7 @@ jobs:
       with:
         image: "python:3.8"
         debug: true
+        fail-build: false
 
   no-sources:
     runs-on: ubuntu-latest
@@ -25,6 +26,7 @@ jobs:
     - uses: ./
       with:
         debug: true
+        fail-build: false
 
   invalid-input:
     runs-on: ubuntu-latest
@@ -38,6 +40,7 @@ jobs:
         image: "python:3.8"
         path: "/some/path"
         debug: true
+        fail-build: false
 
 # XXX Port these to get verified with tests
 #  image-fail-build: