Not able to read the scan output in the workflow.

[verodhi]

I am using the following two steps, following the documentation. The first step of scanning works as expected. The second step where I am trying to print the sarif output shows empty string.

jobs:

  # For Pull Request
  runt_test:
    name: "Run application unit test."
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    env:
      #this is needed since we are running terraform with read-only permissions
      # ARM_SKIP_PROVIDER_REGISTRATION: true
      ACTIONS_STEP_DEBUG: true
    # outputs:
    #   tfplanExitCode: ${{ steps.plan.outputs.exitcode }}

    steps:

      # Checkout the repository to the GitHub Actions runner
      - name: Checkout
        uses: actions/checkout@v3

      # Run Anchor scan on the image created to identify security vulnerabilities.
      - name: Scan the local image with Anchor
        id: anchor_scan
        uses: anchore/scan-action@v2
        with:
          image: ${{ env.APPLICATION_NAME_LOWER }}:${{ env.IMAGE_VERSION }}
          fail-build: false

      - name: Inspect action SARIF report
        run: cat ${{ steps.anchor_scan.outputs.sarif }}

Apologies if I am using the step incorrectly.

[kzantow]

Hi @verodhi From what I can tell you're using this correctly with an exception: I see you're using @v2, try updating that to @v3. Does that work for you?

P.S. Anchore has an e at the end 😄

[verodhi]

Hi @kzantow, appreciate your quick response. I updated the version, and it is working as expected now. Also fixed the spelling with *e .... thanks for pointing that.

[tristanhill-iris]

I think I'm seeing this same issue on v3, causing SARIF upload to GitHub Advanced Security to fail.

This occurs intermittently for my test image, re-running usually fixes it. If the issue occurs, upload-sarif@v2 fails:

Processing sarif files: ["./results.sarif"]
  Error: Unexpected end of JSON input
  SyntaxError: Unexpected end of JSON input

I'm using a self-hosted runner so I've pulled the results.sarif files and if this failure occurs, results.sarif exists but is empty. If it doesn't, then the results.sarif file contains SARIF results as expected.

The anchore/scan-action@v3 is the same for success and failure, and does not indicate the results failed.

grype output...
  Executing: grype -o sarif --fail-on medium my-image:latest
  [0131]  WARN unable to extract licenses from javascript package.json: unmarshal failed from-lib=syft

  [01[31] WARN unable to extract licenses from javascript package.json: unmarshal failed from-lib=syft
  [0131]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF from-lib=syft location=/app/node_modules/resolve/test/resolver/malformed_package_json/package.json

  1 error occurred:
    * discovered vulnerabilities at or above the severity threshold

Warning: Failed minimum severity level. Found vulnerabilities with level 'medium' or higher

If I run the workflow in debug mode and it fails, the only indication that anything failed is that the Grype output in debug logs is empty.

Normal debug output:

  [0112]  INFO found 233 vulnerabilities for 4024 packages

  [0112] DEBUG   ├── fixed: 148

  [0112] DEBUG   └── matched: 233

  [0112] DEBUG       ├── unknown severity: 0

  [0112] DEBUG       ├── negligible: 59

  [0112] DEBUG       ├── low: 8

  [0112] DEBUG       ├── medium: 62

  [0112] DEBUG       ├── high: 78

  [0112] DEBUG       └── critical: 26

  1 error occurred:
    * discovered vulnerabilities at or above the severity threshold

  ##[debug]Exit code 1 received from tool '/home/ssm-user/actions-runner/_work/_tool/grype/0.63.0/x64/grype'
  ##[debug]STDIO streams have closed for tool '/home/ssm-user/actions-runner/_work/_tool/grype/0.63.0/x64/grype'
  ::endgroup::
##[debug]Grype output:
##[debug]{
##[debug]  "version": "2.1.0",
##[debug]  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
##[debug]  "runs": [
##[debug]    {
##[debug]      "tool": {
##[debug]        "driver": {
##[debug]          "name": "Grype",
##[debug]          "version": "0.63.0",
##[debug]          "informationUri": "https://github.com/anchore/grype",
##[debug]          "rules": [
...
Warning: Failed minimum severity level. Found vulnerabilities with level 'medium' or higher

Failure debug output:

  [0141]  INFO found 233 vulnerabilities for 4024 packages

  [0141] DEBUG   ├── fixed: 148

  [0141] DEBUG   └── matched: 233

  [0141] DEBUG       ├── unknown severity: 0

  [0141] DEBUG       ├── negligible: 59

  [0141] DEBUG       ├── low: 8

  [0141] DEBUG       ├── medium: 62

  [0141] DEBUG       ├── high: 78

  [0141] DEBUG       └── critical: 26

  1 error occurred:
    * discovered vulnerabilities at or above the severity threshold

  ##[debug]Exit code 1 received from tool '/home/ssm-user/actions-runner/_work/_tool/grype/0.63.0/x64/grype'
  ##[debug]STDIO streams have closed for tool '/home/ssm-user/actions-runner/_work/_tool/grype/0.63.0/x64/grype'
  ::endgroup::
##[debug]Grype output:
##[debug]
Warning: Failed minimum severity level. Found vulnerabilities with level 'medium' or higher

Here's my workflow snippet:

      - uses: anchore/scan-action@v3
        id: grype
        with:
          fail-build: false
          output-format: sarif
          image: "my-image:latest"

      - uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.grype.outputs.sarif }}

Really not sure what's going on here except that for some reason on v3 and possibly v2, the Grype output is sometimes empty with no logs indicating failures.

Could it be the results file size? It ends up being ~9000 lines and ~500KB on disk. GH's maximum individual output size is 1 MB. But, this wouldn't explain why it succeeds on a re-run using the same image with the same results. So I don't know if that's the problem either.