Having the action report only certain level of vulnerabilities and above

[pantelis-karamolegkos]

I know there is the severity-cutoff: <level> option for making the GHA workflow fail if vulnerabilities of a <level> and above are found.

Is there a way however to configure the action to also only report vulnerabilities of a base level and above? The output is kind of overwhelming.

[kzantow]

There is a corresponding change in Grype that is necessary: https://github.com/anchore/grype/issues/1892 (or https://github.com/anchore/grype/issues/197)

[popey]

There's an open discussion on discourse over here, if you'd like to help chart this. https://anchorecommunity.discourse.group/t/how-can-we-make-grypes-output-more-focused/57