Skip to content

Releases: anchore/scan-action

v3.2.2

04 Apr 15:41
637a129
Compare
Choose a tag to compare

New in scan-action v3.2.2

  • Add sub-action to download Grype (#152)
  • Update Grype to 0.34.4 to fix a nil pointer in SARIF generation (#151)

v3.2.1

28 Mar 18:58
8f19134
Compare
Choose a tag to compare

New in scan-action v3.2.1

  • Remove SARIF processing (#148)

v3.2.0

22 Dec 17:59
0001ba0
Compare
Choose a tag to compare

New in scan-action v3.2.0

  • Update Grype to 0.27.3 (#136)
  • Output Grype stderr to action logs (#137)
  • Readme should point to CONTRIBUTING.md (#126)
  • Improve documentation (#125)

v3.1.0

30 Sep 20:45
70af480
Compare
Choose a tag to compare

New in scan-action v3.1.0

  • Update Grype to 0.22.0 - this includes the ability to ignore vulnerability matches (#121)

v3.0.0

02 Sep 20:35
ef95973
Compare
Choose a tag to compare

New in scan-action v3.0.0

  • Upgrade to Grype to 0.17.0 and add tests #102 (#112) (#118)
  • Improve SARIF output #114 (#115)
  • Change default behavior so action fails on medium (and higher) severities (#86)
  • Respect verbosity from action to call Grype (#82)

v2.0.4

11 Feb 16:01
Compare
Choose a tag to compare

New in scan-action v2.0.4

  • bump grype to 0.7.0 (#81)

2.0.3

08 Jan 19:31
Compare
Choose a tag to compare

New in scan-action 2.0.3

  • bump grype to 0.6.1 (#79)
  • Halt execution when invalid options are provided (#76)
  • bump grype to 0.5.0 (#75)

Release v2.0.2

11 Nov 19:42
Compare
Choose a tag to compare

Minor bug-fix release:

Release v2.0.1

02 Nov 21:22
Compare
Choose a tag to compare

Minor bug-fix release.

Fixes:

  • Removes unnecessary constraint in deduplication for SARIF reporting
  • Allows defining and referencing the location of the SARIF report file
  • Fixes multiple instances where undefined items in the reporting would break scanning

Release v2.0.0

30 Sep 06:48
c2212d9
Compare
Choose a tag to compare

New major version of scan action based on new Grype tool from Anchore that is much faster for scanning compared to v1.x and adds some new capabilities and more metadata about the matches.

  • Significantly faster performance for scans
  • New vulnerabilities output format is the JSON output from Grype directly
  • Adds support for scanning directories as well as Docker containers, so you can do the same checks pre-and post-build of the container.
  • Supports Automatic Code Scanning/SARIF for exposing results via your repository's Security tab.

This is a breaking change from v1.x, as indicated by the major version revision:

  1. Use image input parameter Instead of image-reference
  2. dockerfile-path is no longer supported and not necessary for the vulnerability scans
  3. custom-policy-path is no longer supported
  4. include-app-packages is no longer necessary or supported. Application packages are on by default and will receive vulnerability matches.
  5. Outputs:
    1. billofmaterials is no longer output. V2 is focused on vulnerability scanning and another action may be introduced for BoM support with its own options/config.
    2. policycheck is no longer output