New major version of scan action based on new Grype tool from Anchore that is much faster for scanning compared to v1.x and adds some new capabilities and more metadata about the matches.
- Significantly faster performance for scans
- New vulnerabilities output format is the JSON output from Grype directly
- Adds support for scanning directories as well as Docker containers, so you can do the same checks pre-and post-build of the container.
- Supports Automatic Code Scanning/SARIF for exposing results via your repository's Security tab.
This is a breaking change from v1.x, as indicated by the major version revision:
- Use
imageinput parameter Instead ofimage-reference dockerfile-pathis no longer supported and not necessary for the vulnerability scanscustom-policy-pathis no longer supportedinclude-app-packagesis no longer necessary or supported. Application packages are on by default and will receive vulnerability matches.- Outputs:
billofmaterialsis no longer output. V2 is focused on vulnerability scanning and another action may be introduced for BoM support with its own options/config.policycheckis no longer output