Scan-action Release Notes

1 - v6.5.1

Release Notes

Version v6.5.1

New in scan-action v6.5.1

• Update Grype to v0.97.1 (#495)

2 - v6.5.0

Release Notes

Version v6.5.0

New in scan-action v6.5.0

• Update Grype to v0.96.1 (#493) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]
• fix: output stderr for nonzero exit code (#491) [kzantow]

3 - v6.4.0

Release Notes

Version v6.4.0

New in scan-action v6.4.0

• Update Grype to v0.95.0 (#486)
• chore(deps-dev): bump eslint from 9.30.0 to 9.30.1 (#485)
• chore(deps-dev): bump lint-staged from 16.1.0 to 16.1.2 (#476)
• chore(deps-dev): bump jest from 30.0.0 to 30.0.3 (#481)
• chore(deps-dev): bump prettier from 3.5.3 to 3.6.2 (#483)
• chore(deps-dev): bump eslint from 9.28.0 to 9.30.0 (#484)

4 - v6.3.0

Release Notes

Version v6.3.0

New in scan-action v6.3.0

• Update Grype to v0.94.0 (#470)

5 - v6.2.0

Release Notes

Version v6.2.0

New in scan-action v6.2.0

• feat: update Scan action to use grype db v6 (#462) [spiffcs]

6 - v6.1.0

Release Notes

Version v6.1.0

New in scan-action v6.1.0

• Feature (deps): update Grype to v0.87.0 (#430)
  • See Grype changes for new updates

7 - v6.0.0

Release Notes

Version v6.0.0

New in scan-action v6.0.0

Breaking Change

• feat: add output-file option, default to random directory output in temp (#346) [kzantow]

The action no longer generates files in your working directory by default, instead you should use the action outputs: ${{ steps.<id>.outputs.sarif }} where the <id> needs to match the id you configured to reference the scan-action, e.g.:

      - uses: anchore/scan-action[@v6](https://github.com/v6)
        id: scan
        ...
      - uses: github/codeql-action/upload-sarif[@v3](https://github.com/v3)
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

Other Changes

• chore(deps): update Grype to v0.86.1 (#416) [anchore-actions-token-generator]
• feat: add support for cyclonedx and cyclonedx-json output-formats (#396) [ps-e]
• chore(deps): bump @actions/cache from 3.3.0 to 4.0.0 (#412) [dependabot]
• chore(deps): update Grype to v0.86.0 (#413) [anchore-actions-token-generator]

8 - v5.3.0

Release Notes

Version v5.3.0

New in scan-action v5.3.0

• chore(deps): update Grype to v0.85.0 (#408) [anchore-actions-token-generator]
• chore(deps-dev): bump @vercel/ncc from 0.38.2 to 0.38.3 (#406) [dependabot]
• chore(deps-dev): bump eslint from 9.14.0 to 9.15.0 (#405) [dependabot]
• chore(deps-dev): bump husky from 9.1.6 to 9.1.7 (#407) [dependabot]

9 - v5.2.1

Release Notes

Version v5.2.1

New in scan-action v5.2.1

• update Grype to v0.84.0 (#404) [anchore-actions-token-generator]
• bump @actions/cache from 3.2.4 to 3.3.0 (#402) [dependabot]

10 - v5.2.0

Release Notes

Version v5.2.0

New in scan-action v5.2.0

• chore(deps): update Grype to v0.83.0 (#398) [anchore-actions-token-generator]
• chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#394) [dependabot]
• chore(deps): bump actions/setup-node from 4.0.4 to 4.1.0 (#395) [dependabot]

11 - v5.1.0

Release Notes

Version v5.1.0

New in scan-action v5.1.0

• chore(deps): update Grype to v0.82.2 (#393) [anchore-actions-token-generator]
• chore(deps-dev): bump eslint from 9.12.0 to 9.13.0 (#392) [dependabot]
• chore(deps-dev): bump tslib from 2.7.0 to 2.8.0 (#391) [dependabot]

12 - v5.0.1

Release Notes

Version v5.0.1

New in scan-action v5.0.1

• chore(deps): update Grype to v0.82.1 (#389) [anchore-actions-token-generator]

13 - v5.0.0

Release Notes

Version v5.0.0

New in scan-action v5.0.0

• chore(deps): update Grype to v0.82.0 (#383) [anchore-actions-token-generator]

🚀 Features

• feat: short-lived grype-db cache (#348) [kzantow] Note: with this release grype is no longer installed on $PATH. We suspect the changes here could break a number of users of the action who have learned to expect Grype be installed on $PATH.

14 - v4.1.2

Release Notes

Version v4.1.2

New in scan-action v4.1.2

• Update Grype to v0.80.0 (#358) [anchore-actions-token-generator]

15 - v4.1.1

Release Notes

Version v4.1.1

New in scan-action v4.1.1

• chore(deps): update Grype to v0.79.6 (#352) [anchore-actions-token-generator]
• Document grype-version parameter (#319) [vprivat-ads]

16 - v4.1.0

Release Notes

Version v4.1.0

New in scan-action v4.1.0

• chore(deps): update Grype to v0.79.3 (#341) [anchore-actions-token-generator]

17 - v4.0.0

Release Notes

Version v4.0.0

New in scan-action v4.0.0

• Update Grype to v0.79.2 (#338) [anchore-actions-token-generator]
• Download Grype on Windows (#336) [willmurphyscode] (#315) [kzantow]
• Bump Node to v20 (#295) [ViacheslavKudinov]

18 - v3.6.4

Release Notes

Version v3.6.4

New in scan-action v3.6.4

• Update Grype to v0.74.4 (#279) [anchore-actions-token-generator]

19 - v3.6.3

Release Notes

Version v3.6.3

New in scan-action v3.6.3

• chore: migrate action to use node v20.11.0 (Iron) FROM node v16.x.x (#278) [spiffcs]

20 - v3.6.2

Release Notes

Version v3.6.2

New in scan-action v3.6.2

• chore(deps): update Grype to v0.74.3 (#275) [anchore-actions-token-generator]

21 - v3.6.1

Release Notes

Version v3.6.1

New in scan-action v3.6.1

• chore(deps): update Grype to v0.74.2 (#272) [anchore-actions-token-generator]
• chore(deps-dev): bump prettier from 3.2.2 to 3.2.4 (#270) [dependabot]

22 - v3.6.0

Release Notes

Version v3.6.0

New in scan-action v3.6.0

• chore(deps): update Grype to v0.74.1 (#271) [anchore-actions-token-generator]
• chore(deps-dev): bump prettier from 3.1.1 to 3.2.2 (#268) [dependabot]

23 - v3.5.0

Release Notes

Version v3.5.0

New in scan-action v3.5.0

• chore(deps): update Grype to v0.74.0 (#267) [anchore-actions-token-generator]
• chore(deps): bump @actions/core from 1.10.0 to 1.10.1 (#262) [dependabot]

24 - v3.4.0

Release Notes

Version v3.4.0

New in scan-action v3.4.0

• chore(deps-dev): bump tslib from 2.5.0 to 2.6.2 (#258) [dependabot]
• chore(deps-dev): bump @vercel/ncc from 0.36.1 to 0.38.1 (#261) [dependabot]
• chore(deps): update Grype to v0.73.5 (#264) [anchore-actions-token-generator]
• Add support for the --vex flag (#254) [ferozsalam]

25 - v3.3.8

Release Notes

Version v3.3.8

New in scan-action v3.3.8

• Update Grype to v0.73.4 (#252) [anchore-actions-token-generator]
• Add input grype-version (#228) [ViacheslavKudinov]
• Chore: upgrade and pin all GH actions (#250) [willmurphyscode]

26 - v3.3.7

Release Notes

Version v3.3.7

New in scan-action v3.3.7

• chore: address test flakes (#249) [willmurphyscode]
• chore(deps): update Grype to v0.73.3 (#248) [anchore-actions-token-generator]
• chore: add manual trigger to test workflow (#247) [willmurphyscode]
• fix: updated semver version (#241) [gicappa]
• chore(docs): update docker related actions to avoid warnings in workflow (#240) [kuzm1ch]
• chore: add new exception for audit (#235) [spiffcs]
• chore(deps): update Grype to v0.63.1 (#233) [anchore-actions-token-generator]
• Add by-cve option (#229) [too-gee]
• add oss community board auto-add workflow (#231) [wagoodman]

🐛 Bug Fixes

• chore(deps): update Grype to v0.73.2; remove snapshot tests (#236) [anchore-actions-token-generator]

27 - v3.3.6

Release Notes

Version v3.3.6

New in scan-action v3.3.6

• chore(deps): update Grype to v0.63.0 (#225) [anchore-actions-token-generator]
• chore: update grype update (#224) [kzantow]
• chore: update deprecated set-output call (#223) [kzantow]

28 - v3.3.5

Release Notes

Version v3.3.5

New in scan-action v3.3.5

• Set json output (#222) [kklopfenstein]
• Update Grype to v0.60.0 (#221) [anchore-actions-token-generator]
• Add input for –add-cpes-if-none flag (#219) [sebhoss]

29 - v3.3.4

Release Notes

Version v3.3.4

New in scan-action v3.3.4

• Update Grype to v0.56.0 (#205)

30 - v3.3.3

Release Notes

Version v3.3.3

New in scan-action v3.3.3

• Add only-fixed option (#208) [lucacome]
• Update Grype to v0.54.0 (#204) [anchore-actions-token-generator]

31 - v3.3.2

Release Notes

Version v3.3.2

New in scan-action v3.3.2

• Include process environment into grype execution (#202) [erhan- + kzantow]

32 - v3.3.1

Release Notes

Version v3.3.1

New in scan-action v3.3.1

• Update Grype to v0.52.0 (#201) [anchore-actions-token-generator]

33 - v3.3.0

Release Notes

Version v3.3.0

New in scan-action v3.3.0

• Add output-format and allow json to be used (#184,#187) [GiliFaroEnv0 + maartenh]
• Add table option for output-format to show vulnerabilities in console (#135) [ken-chou-finn + kzantow]
• Update Grype to v0.50.1 (#191) [anchore-actions-token-generator]

34 - v3.2.5

Release Notes

Version v3.2.5

New in scan-action v3.2.5

• Update node versions to v16 from v12 (#176) [spiffcs]
• Update Grype to v0.38.0 (#173)

35 - v3.2.4

Release Notes

Version v3.2.4

New in scan-action v3.2.4

• Update Grype to v0.34.7 (#163)
• More closely align parameters with sbom-action (#158)

36 - v3.2.3

Release Notes

Version v3.2.3

New in scan-action v3.2.3

• Support SBOM input for scanning (#154) [@harmw]

37 - v3.2.2

Release Notes

Version v3.2.2

New in scan-action v3.2.2

• Add sub-action to download Grype (#152)
• Update Grype to 0.34.4 to fix a nil pointer in SARIF generation (#151)

38 - v3.2.1

Release Notes

Version v3.2.1

New in scan-action v3.2.1

• Remove SARIF processing (#148)

39 - v3.2.0

Release Notes

Version v3.2.0

New in scan-action v3.2.0

• Update Grype to 0.27.3 (#136)
• Output Grype stderr to action logs (#137)
• Readme should point to CONTRIBUTING.md (#126)
• Improve documentation (#125)

40 - v3.1.0

Release Notes

Version v3.1.0

New in scan-action v3.1.0

• Update Grype to 0.22.0 - this includes the ability to ignore vulnerability matches (#121)

41 - v3.0.0

Release Notes

Version v3.0.0

New in scan-action v3.0.0

• Upgrade to Grype to 0.17.0 and add tests #102 (#112) (#118)
• Improve SARIF output #114 (#115)
• Change default behavior so action fails on medium (and higher) severities (#86)
• Respect verbosity from action to call Grype (#82)

42 - v2.0.4

Release Notes

Version v2.0.4

New in scan-action v2.0.4

• bump grype to 0.7.0 (#81)

43 - 2.0.3

Release Notes

Version 2.0.3

New in scan-action 2.0.3

• bump grype to 0.6.1 (#79)
• Halt execution when invalid options are provided (#76)
• bump grype to 0.5.0 (#75)

44 - v2.0.2

Release Notes

Version v2.0.2

Minor bug-fix release:

• Update actions/core to use version 1.2.6 (Issue #71)

45 - v2.0.1

Release Notes

Version v2.0.1

Minor bug-fix release.

Fixes:

• Removes unnecessary constraint in deduplication for SARIF reporting
• Allows defining and referencing the location of the SARIF report file
• Fixes multiple instances where undefined items in the reporting would break scanning

46 - v2.0.0

Release Notes

Version v2.0.0

New major version of scan action based on new Grype tool from Anchore that is much faster for scanning compared to v1.x and adds some new capabilities and more metadata about the matches.

• Significantly faster performance for scans
• New vulnerabilities output format is the JSON output from Grype directly
• Adds support for scanning directories as well as Docker containers, so you can do the same checks pre-and post-build of the container.
• Supports Automatic Code Scanning/SARIF for exposing results via your repository’s Security tab.

This is a breaking change from v1.x, as indicated by the major version revision:

1. Use image input parameter Instead of image-reference
2. dockerfile-path is no longer supported and not necessary for the vulnerability scans
3. custom-policy-path is no longer supported
4. include-app-packages is no longer necessary or supported. Application packages are on by default and will receive vulnerability matches.
5. Outputs:
   1. billofmaterials is no longer output. V2 is focused on vulnerability scanning and another action may be introduced for BoM support with its own options/config.
   2. policycheck is no longer output

47 - v1.0.9

Release Notes

Version v1.0.9

Update to Anchore Engine 0.8.1

48 - v1.0.8

Release Notes

Version v1.0.8

Update to Anchore Engine 0.8.0

49 - v1.0.7

Release Notes

Version v1.0.7

Update to Anchore Engine 0.7.3

50 - 1.0.6

Release Notes

Version 1.0.6

Adds optional support for integration with GitHub code scanning.

51 - 1.0.5

Release Notes

Version 1.0.5

Update Anchore Engine to v0.7.2

52 - v1.0.4

Release Notes

Version v1.0.4

53 - v1.0.3

Release Notes

Version v1.0.3

54 - v1.0.2

Release Notes

Version v1.0.2

Update to v0.6.1 of anchore-engine

55 - v1.0.1

Release Notes

Version v1.0.1

Bumps version of anchore used to v0.6.0 as well as adding an input parameter to enable overriding the Anchore inline scan version. Other updates are internal optimizations, test improvements, and code cleanup.

56 - v1.0.0

Release Notes

Version v1.0.0

First release of the scan action

57 - v1.0.0-RC0

Release Notes

Version v1.0.0-RC0

Initial release candidate for v1.0.0 of the anchore-engine scan action.