kzantow
commented
1 month ago Hi @MPV, apologies for the delay getting back to you on this issue.
We talked about this on our livestream today, but it was a little unclear what you were hoping to accomplish, so I thought I would get a little more information and suggest something that you could do today, based on a few assumptions.
The GitHub annotations support specifying a file and line, but Grype does not capture line numbers where packages were found. It does capture files, so it would be possible to associate a vulnerability in the list to a file, but it seems like you may have just been looking for a way to show the vulnerability report in a more convenient location. If that's the case, the GitHub summary is a pretty good way to go. You could store the table output to a file, and include it in the top-level workflow like this:
- uses: anchore/scan-action@main
with:
image: alpine:3.15
fail-build: false
output-format: table
env:
GRYPE_FILE: vuln-report.out
- run: |
VULN_REPORT="$(cat vuln-report.out)"
printf "# Vulnerability Report Summary\n<pre>$VULN_REPORT</pre>" > $GITHUB_STEP_SUMMARY... which results in the table output being printed right at the summary view of the workflow:
Hi, Would you consider adding support for Annotations?
See for comparison: