.github/workflows/demo.yml

@@ -6,30 +6,27 @@ jobs:
   test-image:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./
         with:
           image: "alpine:latest"
-          debug: true
           fail-build: false
 
   test-directory:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./
         with:
           path: "tests/fixtures/npm-project"
-          debug: true
           severity-cutoff: "negligible"
           fail-build: false
 
   sbom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./
         with:
           sbom: tests/fixtures/test_sbom.spdx.json
-          debug: true
           fail-build: false

.github/workflows/release-drafter.yml

@@ -10,6 +10,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Draft release notes
-        uses: release-drafter/release-drafter@v5
+        uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/sarifdemo.yml

@@ -7,14 +7,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v2
-
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run the local Scan Action with SARIF generation enabled
         id: scan
         uses: ./
         with:
           image: "debian:8"
-          debug: true
           fail-build: false
           #severity-cutoff: "Medium"
 
@@ -32,14 +30,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v2
-
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run the local Scan Action with SARIF generation enabled
         id: scan
         uses: ./
         with:
           path: "tests/fixtures/npm-project"
-          debug: true
           fail-build: false
           #severity-cutoff: "Medium"
 

.github/workflows/tag-release.yml

@@ -8,6 +8,6 @@ jobs:
   actions-tagger:
     runs-on: ubuntu-latest
     steps:
-      - uses: Actions-R-Us/actions-tagger@v2
+      - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb # v2.0.3
         with:
           publish_latest_tag: true

.github/workflows/test.yml

@@ -11,7 +11,7 @@ jobs:
   build: # make sure build/ci work properly and there is no faked build ncc built scripts
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - run: npm ci
       - run: npm run audit
       - run: npm run build
@@ -27,7 +27,7 @@ jobs:
         ports:
           - 5000:5000
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Build images
         run: |
           for distro in alpine centos debian; do
@@ -43,3 +43,29 @@ jobs:
       - run: npm ci
       - run: npm run audit
       - run: npm test
+
+  test-as-action: # run actions to test some scenarios
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: ./
+
+      - name: "Donwload Grype v0.54.0"
+        uses: ./download-grype # anchore/scan-action/download-grype
+        with:
+          grype-version: v0.54.0
+
+      - name: "Check Grype version before scan-action"
+        run: grype version | egrep "^Version:.*0.54.0$"
+
+      - name: "Scan test image"
+        uses: ./
+        with:
+          image: "alpine:latest"
+          grype-version: v0.54.0 # set the same version to test that current Grype binary wasn't overwritten by the latest version
+          fail-build: false # to prevent fail due to vuln:s on test image
+
+      - name: "Check Grype version after scan-action"
+        run: grype version | egrep "^Version:.*0.54.0$"

.github/workflows/update-grype-release.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/scan-action'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Get latest Grype version
         id: latest-version
         env:
@@ -25,12 +25,12 @@ jobs:
           npm run build
           # export the version for use with create-pull-request:
           echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT
-      - uses: tibdex/github-app-token@v1
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         id: generate-token
         with:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
-      - uses: peter-evans/create-pull-request@v4
+      - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
           signoff: true
           delete-branch: true

GrypeVersion.js

@@ -1 +1 @@
-exports.GRYPE_VERSION = "v0.73.3";
+exports.GRYPE_VERSION = "v0.73.4";

README.md

@@ -150,7 +150,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Build the container image
         run: docker build . --file Dockerfile --tag localbuild/testimage:latest
       - uses: anchore/scan-action@v3
@@ -170,7 +170,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Build the Container image
         run: docker build . --file Dockerfile --tag localbuild/testimage:latest
       - uses: anchore/scan-action@v3

action.yml

@@ -36,7 +36,10 @@ inputs:
   by-cve:
     description: "Specify whether to orient results by CVE rather than GHSA.  Default is false."
     required: false
-    default: "false"
+    default: "false"  
+  grype-version:
+    description: "A specific version of Grype to install"
+    required: false
 outputs:
   sarif:
     description: "Path to a SARIF report file for the image"

dist/index.js

@@ -4,7 +4,7 @@
 /***/ 6244:
 /***/ ((__unused_webpack_module, exports) => {
 
-exports.GRYPE_VERSION = "v0.73.3";
+exports.GRYPE_VERSION = "v0.73.4";
 
 
 /***/ }),