Different results between scan-action and grype run locally

anchore / scan-action

Anchore container analysis and scan provided as a GitHub Action

MIT License

212 stars 77 forks source link

Different results between scan-action and grype run locally #239

Closed jacopolanzonidev closed 1 year ago

jacopolanzonidev commented 1 year ago

My company uses Grype wrapped by your scan-action to detect vulnerabilities.

We currently observe a difference between what the scan-action's Grype finds as a GitHub Action and what we get by running Grype locally (installed through brew).

The version of Grype is the same (v0.63.0)

scan-action:

Screenshot 2023-08-16 at 17 01 36

Grype locally:

Screenshot 2023-08-16 at 17 04 30

jacopolanzonidev commented 1 year ago

Solution found. In my action I wasn't building the project into a jar file, and not all the vulnerabilities are found in that way.

tgerla commented 1 year ago

Thanks for letting us know!