BUG - fail-build behavior takes on severity-cutoff unintentionally #378
Description
Consider the following action:
grype:
needs: build
runs-on: ubuntu-latest
steps:
-
name: Scan image
uses: anchore/[email protected]
id: grypescan
with:
registry-username: ${{ vars.DOCKERHUB_USERNAME }}
registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
image: ${{ env.IMAGE_NAME }}
fail-build: false
-
name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.grypescan.outputs.sarif }}
This action runs, however it does not appear to respect the fact that I have set fail-build to false. Per discussion with @spiffcs this appears to be a few different bugs (https://anchorecommunity.discourse.group/t/seeing-a-real-weird-issue-with-github-actions-for-scan-action/156/2). Here's the output:
Warning: Unexpected input(s) 'registry-username', 'registry-password', valid inputs are ['image', 'path', 'sbom', 'fail-build', 'output-format', 'severity-cutoff', 'only-fixed', 'add-cpes-if-none', 'by-cve', 'grype-version', 'vex']
Run anchore/[email protected]
with:
registry-username: modusmundi
registry-password: ***
image: modusmundi/testingscap:latest
fail-build: false
output-format: sarif
severity-cutoff: medium
only-fixed: false
add-cpes-if-none: false
by-cve: false
env:
REGISTRY: docker.io
IMAGE_NAME: modusmundi/testingscap:latest
/usr/bin/sh /home/runner/work/_temp/30bc3b5b-920a-4713-8c7c-7286ced65a11 -d -b /home/runner/work/_temp/30bc3b5b-920a-4713-8c7c-7286ced65a11_grype v0.80.0
[info] checking github for release tag='v0.80.0'
[debug] http_download(url=https://github.com/anchore/grype/releases/v0.80.0)
[info] fetching release script for tag='v0.80.0'
[debug] http_download(url=https://raw.githubusercontent.com/anchore/grype/v0.80.0/install.sh)
[info] checking github for release tag='v0.80.0'
[debug] http_download(url=https://github.com/anchore/grype/releases/v0.80.0)
[info] using release tag='v0.80.0' version='0.80.0' os='linux' arch='amd64'
[debug] downloading files into /tmp/tmp.8dFny5tNmB
[debug] http_download(url=https://github.com/anchore/grype/releases/download/v0.80.0/grype_0.80.0_checksums.txt)
[debug] http_download(url=https://github.com/anchore/grype/releases/download/v0.80.0/grype_0.80.0_linux_amd64.tar.gz)
[info] installed /home/runner/work/_temp/30bc3b5b-920a-4713-8c7c-7286ced65a11_grype/grype
grype output...
Executing: grype -o sarif --fail-on medium modusmundi/testingscap:latest
discovered vulnerabilities at or above the severity threshold
I'm reporting it so it does not get lost- what I would expect here is to be able to not fail a build and get a full outlay of current vulns in the build.