Skip to content

Commit 2a3918e

Browse files
kzantowkzantow
authored
chore: optionally cache grype-db in actions cache (#348)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
1 parent a957c8d commit 2a3918e

21 files changed

Lines changed: 74628 additions & 6729 deletions

.gitattributes

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# force unix line endings for consistent ncc output
2+
*.js text eol=lf
3+
package.json text eol=lf
4+
package-lock.json text eol=lf

.github/workflows/dependabot-build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ jobs:
3030
if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
3131
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
3232
with:
33-
node-version: 16.x
33+
node-version-file: package.json
3434

3535
- name: Install dependencies
3636
if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}

.github/workflows/test.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,14 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
15+
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
16+
with:
17+
node-version-file: package.json
1518
- run: npm ci
1619
- run: npm run audit
1720
- run: npm run build
1821
- run: git status --porcelain
19-
- run: git diff
22+
- run: git diff --ws-error-highlight=all | cat -v
2023
- run: git diff --exit-code
2124

2225
test:
@@ -53,22 +56,22 @@ jobs:
5356
path: ./
5457

5558
- name: "Donwload Grype v0.54.0"
59+
id: grype
5660
uses: ./download-grype # anchore/scan-action/download-grype
5761
with:
5862
grype-version: v0.54.0
5963

6064
- name: "Check Grype version before scan-action"
61-
run: grype version | egrep "^Version:.*0.54.0$"
65+
run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"
6266

6367
- name: "Scan test image"
6468
uses: ./
6569
with:
6670
image: "alpine:latest"
67-
grype-version: v0.54.0 # set the same version to test that current Grype binary wasn't overwritten by the latest version
6871
fail-build: false # to prevent fail due to vuln:s on test image
6972

7073
- name: "Check Grype version after scan-action"
71-
run: grype version | egrep "^Version:.*0.54.0$"
74+
run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"
7275

7376
test-all:
7477
strategy:

README.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build
120120
The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:
121121

122122
| Input Name | Description | Default Value |
123-
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
123+
|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
124124
| `image` | The image to scan | N/A |
125125
| `path` | The file path to scan | N/A |
126126
| `sbom` | The SBOM to scan | N/A |
@@ -133,6 +133,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
133133
| `add-cpes-if-none` | Specify whether to autogenerate missing CPEs. | `false` |
134134
| `by-cve` | Specify whether to orient results by CVE rather than GHSA. | `false` |
135135
| `vex` | Specify a list of VEX documents to consider when producing scanning results. | `false` |
136+
| `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` |
136137
| `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | |
137138

138139
### Action Outputs
@@ -201,13 +202,14 @@ such as [ignoring certain matches](https://github.com/anchore/grype#specifying-m
201202

202203
## anchore/scan-action/download-grype
203204

204-
A sub-action to [download Grype](download-grype/action.yml).
205+
A sub-action to [download Grype](download-grype/action.yml) and optionally cache the Grype DB.
205206

206207
Input parameters:
207208

208209
| Parameter | Description | Default |
209-
| --------------- | ------------------------------------------------------------------------------------------------------------ | ------- |
210+
|-----------------|--------------------------------------------------------------------------------------------------------------|---------|
210211
| `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | |
212+
| `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` |
211213

212214
Output parameters:
213215

action.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,9 @@ inputs:
4343
vex:
4444
description: "Specify a list of VEX documents to consider when producing scanning results."
4545
required: false
46+
cache-db:
47+
description: "Cache the Grype DB in GitHub action cache and restore before checking for updates"
48+
required: false
4649
outputs:
4750
sarif:
4851
description: "Path to a SARIF report file for the image"

0 commit comments

Comments
 (0)