search

docker / scout-action

Docker Scout GitHub Action
https://docker.com/products/docker-scout
Other
91 stars 29 forks source link

`command: compare` with `sbom://` #43

Closed MPV closed 5 months ago

MPV commented 6 months ago

I'd like to be able to use the new sbom:// syntax, but it seems it's not (yet) supported with the command: compare mode.

Steps to reproduce:

  1. Run a workflow with a step like this:
      - name: Generate SBOM for image
        id: sbom
        uses: anchore/sbom-action@719133684c7d294116626d1344fe64f0d2ff3e9e # v0.15.2
        with:
          image: ${{ env.IMAGE }}:${{ github.sha }}
          output-file: sbom.spdx.json

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@c01629436921e4c567967cbfa14764f4b6113237 # v1.6.4
        with:
          command: compare
          image: sbom://sbom.spdx.json
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-fixed: true
          write-comment: true

Expected results:

  1. Same kind of output as in my non-SBOM example below.

Actual results:

  1. The step fails with Error: missing or wrong "image" input

non-SBOM example (for comparison):

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@c01629436921e4c567967cbfa14764f4b6113237 # v1.6.4
        with:
          command: compare
          image: ${{ env.IMAGE }}:${{ github.sha }}
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-fixed: true
          write-comment: true

For reference, this should be supported upstream nowadays, as per:

And here's using it without the action:

$ syft alpine:latest -o syft-json > sbom.spdx.json
$ docker scout compare --to alpine:latest sbom://sbom.spdx.json
[...]
eunomie commented 6 months ago

Thanks @MPV to have raised the issue. I'll see to have it in a following release.

eunomie commented 5 months ago

@MPV The fix has been integrated in the new v1.10.0 release.

MPV commented 5 months ago

@MPV The fix has been integrated in the new v1.10.0 release.

Thanks for your efforts. But to be honest I was looking for comparing an image with an SBOM (as you see in my example).

Doing this (now with v1.10.0) instead gives: Error: missing or wrong "image" input

But I am able to do the equivalent using the Docker Scout CLI. I assume your intent is that they should be doing the same thing.