{"id":19368462,"url":"https://github.com/anchore/scan-action","last_synced_at":"2026-01-21T21:06:02.757Z","repository":{"id":37840776,"uuid":"212692077","full_name":"anchore/scan-action","owner":"anchore","description":"Anchore container analysis and scan provided as a GitHub Action","archived":false,"fork":false,"pushed_at":"2025-05-14T18:06:01.000Z","size":3419,"stargazers_count":242,"open_issues_count":21,"forks_count":81,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-05-14T19:22:48.255Z","etag":null,"topics":["actions","anchore-engine","github-actions","policy-evaluation","vulnerabilities","workflow"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anchore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-10-03T22:24:30.000Z","updated_at":"2025-05-14T18:04:11.000Z","dependencies_parsed_at":"2023-10-11T09:14:16.712Z","dependency_job_id":"fbae0e87-9e86-40e8-a54b-f5d961502ac3","html_url":"https://github.com/anchore/scan-action","commit_stats":{"total_commits":306,"total_committers":38,"mean_commits":8.052631578947368,"dds":0.7777777777777778,"last_synced_commit":"27d81abf10106812edf8e0fd4b4ba8662f08ac3f"},"previous_names":[],"tags_count":64,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fscan-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fscan-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fscan-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fscan-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anchore","download_url":"https://codeload.github.com/anchore/scan-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254310520,"owners_count":22049470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","anchore-engine","github-actions","policy-evaluation","vulnerabilities","workflow"],"created_at":"2024-11-10T08:06:29.842Z","updated_at":"2026-01-21T21:06:02.745Z","avatar_url":"https://github.com/anchore.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitHub Action for Vulnerability Scanning\n\n**:zap: _Find threats in files or containers at lightning speed_ :zap:**\n\n[![Test Status][test-img]][test]\n[![GitHub release](https://img.shields.io/github/release/anchore/scan-action.svg)](https://github.com/anchore/scan-action/releases/latest)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/anchore/scan-action/blob/main/LICENSE)\n[![Join our Discourse](https://img.shields.io/badge/Discourse-Join-blue?logo=discourse)](https://anchore.com/discourse)\n\n\nThis is a GitHub Action for invoking the [Grype](https://github.com/anchore/grype) scanner and returning the vulnerabilities found,\nand optionally fail if a vulnerability is found with a configurable severity level.\n\nUse this in your workflows to quickly verify files or containers' content after a build and before pushing, allowing PRs, or deploying updates.\n\nThe action invokes the `grype` command-line tool, with these benefits:\n\n- Runs locally, without sending data outbound - no credentials required!\n- Speedy scan operations\n- Scans both paths and container images\n- Easy failure evaluation depending on vulnerability severity\n\nThe example workflows have lots of usage examples for scanning both containers and directories.\n\nBy default, a scan will produce very detailed output on system packages like an RPM or DEB, but also language-based packages. These are some of the supported packages and libraries:\n\nSupported Linux Distributions:\n\n- Alpine\n- BusyBox\n- CentOS and RedHat\n- Debian and Debian-based distros like Ubuntu\n\nSupported packages and libraries:\n\n- Ruby Bundles\n- Python Wheel, Egg, `requirements.txt`\n- JavaScript NPM/Yarn\n- Java JAR/EAR/WAR, Jenkins plugins JPI/HPI\n- Go modules\n\n## Container scanning\n\nThe simplest workflow for scanning a `localbuild/testimage` container:\n\n```yaml\n- name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v2\n\n- name: build local container\n uses: docker/build-push-action@v4\n with:\n tags: localbuild/testimage:latest\n push: false\n load: true\n\n- name: Scan image\n uses: anchore/scan-action@v6\n with:\n image: \"localbuild/testimage:latest\"\n```\n\n## Directory scanning\n\nTo scan a directory, add the following step:\n\n```yaml\n- name: Scan current project\n uses: anchore/scan-action@v6\n with:\n path: \".\"\n```\n\nThe `path` key allows any valid path for the current project. The root of the path (`\".\"` in this example) is the repository root.\n\n## Scanning an SBOM file\n\nUse the `sbom` key to scan an SBOM file:\n\n```yaml\n- name: Create SBOM\n uses: anchore/sbom-action@v0\n with:\n format: spdx-json\n output-file: \"${{ github.event.repository.name }}-sbom.spdx.json\"\n\n- name: Scan SBOM\n uses: anchore/scan-action@v6\n with:\n sbom: \"${{ github.event.repository.name }}-sbom.spdx.json\"\n```\n\n## Failing a build on vulnerability severity\n\nBy default, if any vulnerability at `medium` or higher is seen, the build fails. To have the build step fail in cases where there are vulnerabilities with a severity level different than the default, set the `severity-cutoff` field to one of `low`, `high`, or `critical`:\n\nWith a different severity level:\n\n```yaml\n- name: Scan image\n uses: anchore/scan-action@v6\n with:\n image: \"localbuild/testimage:latest\"\n fail-build: true\n severity-cutoff: critical\n```\n\nOptionally, change the `fail-build` field to `false` to avoid failing the build regardless of severity:\n\n```yaml\n- name: Scan image\n uses: anchore/scan-action@v6\n with:\n image: \"localbuild/testimage:latest\"\n fail-build: false\n```\n\n### Action Inputs\n\nThe inputs `image`, `path`, and `sbom` are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:\n\n| Input Name | Description | Default Value |\n|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|\n| `image` | The image to scan | N/A |\n| `path` | The file path to scan | N/A |\n| `sbom` | The SBOM to scan | N/A |\n| `registry-username` | The registry username to use when authenticating to an external registry | |\n| `registry-password` | The registry password to use when authenticating to an external registry | |\n| `fail-build` | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `medium` and can be set with `severity-cutoff`. | `true` |\n| `output-format` | Set the output parameter after successful action execution. Valid choices are `json`, `sarif`, `cyclonedx-xml`, `cyclonedx-json`, and `table`; where `table` output will also display in the logs. | `sarif` |\n| `output-file` | File to output the Grype scan results to. Defaults to a file in the system temp directory, available in the action outputs | |\n| `severity-cutoff` | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are \"negligible\", \"low\", \"medium\", \"high\" and \"critical\". Any vulnerability with a severity less than this value will lead to a \"warning\" result. Default is \"medium\". | `medium` |\n| `only-fixed` | Specify whether to only report vulnerabilities that have a fix available. | `false` |\n| `add-cpes-if-none` | Specify whether to autogenerate missing CPEs. | `false` |\n| `by-cve` | Specify whether to orient results by CVE rather than GHSA. | `false` |\n| `vex` | Specify a list of VEX documents to consider when producing scanning results. | `false` |\n| `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` |\n| `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | |\n\n### Action Outputs\n\n| Output Name | Description | Type |\n|------------------|--------------------------------------------------------------------------------|--------|\n| `sarif` | Path to the SARIF report file, if `output-format` is `sarif` | string |\n| `json` | Path to the report file , if `output-format` is `json` | string |\n| `cyclonedx-xml` | Path to the CycloneDX report file, if `output-format` is `cyclonedx` | string |\n| `cyclonedx-json` | Path to the CycloneDX JSON report file, if `output-format` is `cyclonedx-json` | string |\n\n### Example Workflows\n\nAssuming your repository has a Dockerfile in the root directory:\n\n```yaml\nname: Container Image CI\non: [push]\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n - name: Build the container image\n run: docker build . --file Dockerfile --tag localbuild/testimage:latest\n - uses: anchore/scan-action@v6\n with:\n image: \"localbuild/testimage:latest\"\n fail-build: true\n```\n\nSame example as above, but with SARIF output format - as is the default, the action will generate a SARIF report, which can be uploaded and then displayed as a Code Scanning Report in the GitHub UI.\n\n\u003e :bulb: Code Scanning is a Github service that is currently in Beta. [Follow the instructions on how to enable this service for your project](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository).\n\n```yaml\nname: Container Image CI\non: [push]\njobs:\n build:\n runs-on: ubuntu-latest\n # Permissions key is required for CodeQL SARIF Upload, per the docs:\n # https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n - name: Build the Container image\n run: docker build . --file Dockerfile --tag localbuild/testimage:latest\n - uses: anchore/scan-action@v6\n id: scan\n with:\n image: \"localbuild/testimage:latest\"\n - name: upload Anchore scan SARIF report\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: ${{ steps.scan.outputs.sarif }}\n```\n\nOptionally, you can add a step to inspect the SARIF report produced:\n\n```yaml\n- name: Inspect action SARIF report\n run: cat ${{ steps.scan.outputs.sarif }}\n```\n\n## Additional configuration\n\nYou may add a `.grype.yaml` file at your repository root\nfor more [Grype configuration](https://github.com/anchore/grype#configuration)\nsuch as [ignoring certain matches](https://github.com/anchore/grype#specifying-matches-to-ignore).\n\n## anchore/scan-action/download-grype\n\nA sub-action to [download Grype](download-grype/action.yml) and optionally cache the Grype DB.\n\nInput parameters:\n\n| Parameter | Description | Default |\n|-----------------|--------------------------------------------------------------------------------------------------------------|---------|\n| `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | |\n| `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` |\n\nOutput parameters:\n\n| Parameter | Description |\n| --------- | -------------------------------------------------------------------- |\n| `cmd` | a reference to the [Grype](https://github.com/anchore/grype) binary. |\n\n`cmd` can be referenced in a workflow like other output parameters:\n`${{ steps.\u003cstep-id\u003e.outputs.cmd }}`\n\nExample usage:\n\n```yaml\n- uses: anchore/scan-action/download-grype@v3\n id: grype\n- run: ${{steps.grype.outputs.cmd}} dir:.\n```\n\n## Contributing\n\nWe love contributions, feedback, and bug reports. For issues with the invocation of this action, file [issues](https://github.com/anchore/scan-action/issues) in this repository.\n\nFor contributing, see [Contributing](CONTRIBUTING.md).\n\n## More Information\n\nFor documentation on Grype itself, including other output capabilities, see the [grype project](https://github.com/anchore/grype)\n\nConnect with the community directly on [Discourse](https://anchore.com/discourse).\n\n[test]: https://github.com/anchore/scan-action\n[test-img]: https://github.com/anchore/scan-action/workflows/Tests/badge.svg\n\n## Diagnostics\n\nThis action makes extensive use of GitHub Action debug logging,\nwhich can be enabled as [described here](https://github.com/actions/toolkit/blob/master/docs/action-debugging.md)\nby setting a secret in your repository of `ACTIONS_STEP_DEBUG` to `true`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fscan-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanchore%2Fscan-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fscan-action/lists"}