Skip to content

Commit

Permalink
chore: optionally cache grype-db in actions cache (#348)
Browse files Browse the repository at this point in the history 
Signed-off-by: Keith Zantow <[email protected]>
  • Loading branch information
@kzantow
kzantow authored Oct 4, 2024
1 parent a957c8d commit 2a3918e
Show file tree
Hide file tree
Showing 21 changed files with 74,628 additions and 6,729 deletions.
4 changes: 4 additions & 0 deletions .gitattributes
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# force unix line endings for consistent ncc output
*.js text eol=lf
package.json text eol=lf
package-lock.json text eol=lf
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
with:
node-version: 16.x
node-version-file: package.json

- name: Install dependencies
if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version-file: package.json
- run: npm ci
- run: npm run audit
- run: npm run build
- run: git status --porcelain
- run: git diff
- run: git diff --ws-error-highlight=all | cat -v
- run: git diff --exit-code

test:
Expand Down Expand Up @@ -53,22 +56,22 @@ jobs:
path: ./

- name: "Donwload Grype v0.54.0"
id: grype
uses: ./download-grype # anchore/scan-action/download-grype
with:
grype-version: v0.54.0

- name: "Check Grype version before scan-action"
run: grype version | egrep "^Version:.*0.54.0$"
run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"

- name: "Scan test image"
uses: ./
with:
image: "alpine:latest"
grype-version: v0.54.0 # set the same version to test that current Grype binary wasn't overwritten by the latest version
fail-build: false # to prevent fail due to vuln:s on test image

- name: "Check Grype version after scan-action"
run: grype version | egrep "^Version:.*0.54.0$"
run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"

test-all:
strategy:
Expand Down
8 changes: 5 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build
The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:

| Input Name | Description | Default Value |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
| `image` | The image to scan | N/A |
| `path` | The file path to scan | N/A |
| `sbom` | The SBOM to scan | N/A |
Expand All @@ -133,6 +133,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
| `add-cpes-if-none` | Specify whether to autogenerate missing CPEs. | `false` |
| `by-cve` | Specify whether to orient results by CVE rather than GHSA. | `false` |
| `vex` | Specify a list of VEX documents to consider when producing scanning results. | `false` |
| `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` |
| `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | |

### Action Outputs
Expand Down Expand Up @@ -201,13 +202,14 @@ such as [ignoring certain matches](https://github.com/anchore/grype#specifying-m

## anchore/scan-action/download-grype

A sub-action to [download Grype](download-grype/action.yml).
A sub-action to [download Grype](download-grype/action.yml) and optionally cache the Grype DB.

Input parameters:

| Parameter | Description | Default |
| --------------- | ------------------------------------------------------------------------------------------------------------ | ------- |
|-----------------|--------------------------------------------------------------------------------------------------------------|---------|
| `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | |
| `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` |

Output parameters:

Expand Down
3 changes: 3 additions & 0 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ inputs:
vex:
description: "Specify a list of VEX documents to consider when producing scanning results."
required: false
cache-db:
description: "Cache the Grype DB in GitHub action cache and restore before checking for updates"
required: false
outputs:
sarif:
description: "Path to a SARIF report file for the image"
Expand Down
Loading

0 comments on commit 2a3918e

Please sign in to comment.