{"id":50779477,"url":"https://github.com/rad-security/image-scan-action","last_synced_at":"2026-06-12T02:03:36.238Z","repository":{"id":360202293,"uuid":"1011272694","full_name":"rad-security/image-scan-action","owner":"rad-security","description":"A repo containing the RAD Image Scan GitHub Action","archived":false,"fork":false,"pushed_at":"2026-05-25T11:45:58.000Z","size":16,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-25T13:31:11.916Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rad-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-30T15:02:29.000Z","updated_at":"2025-06-30T16:19:29.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rad-security/image-scan-action","commit_stats":null,"previous_names":["rad-security/image-scan-action"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rad-security/image-scan-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rad-security%2Fimage-scan-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rad-security%2Fimage-scan-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rad-security%2Fimage-scan-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rad-security%2Fimage-scan-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rad-security","download_url":"https://codeload.github.com/rad-security/image-scan-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rad-security%2Fimage-scan-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34225358,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-12T02:03:35.767Z","updated_at":"2026-06-12T02:03:36.232Z","avatar_url":"https://github.com/rad-security.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RAD Image Scan Action\n\n![GitHub release (latest by date)](https://img.shields.io/github/v/release/rad-security/image-scan-action)\n\nScans container images for vulnerabilities using [Grype](https://github.com/anchore/grype). When configured with [RAD Security](https://rad.security) credentials, the report is enriched with data about the same image as it is *currently deployed* in your fleet — vulnerability count deltas vs deployed instances, regression detection, and distro EOL warnings.\n\nThis action wraps [`rad-image-scanner`](https://github.com/rad-security/image-scanner).\n\n## Plain (Grype-only) usage\n\n```yaml\n- name: Build local image\n  uses: docker/build-push-action@v6\n  with:\n    tags: localbuild/testimage:latest\n    push: false\n    load: true\n\n- name: Scan image\n  uses: rad-security/image-scan-action@v1\n  with:\n    image: localbuild/testimage:latest\n    fail_on_severity: medium\n    ignore_cves: |\n      CVE-2021-1234\n      CVE-2021-5678\n```\n\n## RAD-enriched usage\n\nAdd your RAD access key and account IDs. Credentials must be passed via `env:` (not `with:`) so they are not echoed to workflow logs.\n\n```yaml\n- name: Scan image with RAD enrichment\n  uses: rad-security/image-scan-action@v1\n  env:\n    RAD_ACCESS_KEY_ID: ${{ secrets.RAD_ACCESS_KEY_ID }}\n    RAD_SECRET_KEY:    ${{ secrets.RAD_SECRET_KEY }}\n  with:\n    image: ghcr.io/example/svc:v1.2.3\n    format: sarif\n    rad_account_ids: acct_1,acct_2\n    rad_fail_on_regression: critical\n    rad_fail_on_eol: \"true\"\n\n- name: Upload SARIF\n  if: success() || failure()\n  uses: github/codeql-action/upload-sarif@v3\n  with:\n    sarif_file: ${{ steps.scan.outputs.sarif }}\n\n- name: Upload RAD report\n  if: success() || failure()\n  uses: actions/upload-artifact@v4\n  with:\n    name: rad-report\n    path: ${{ steps.scan.outputs.rad_report }}\n```\n\nWhen `format: sarif`, the RAD enrichment is injected into the SARIF document under `runs[].properties.rad` (toggle with `rad_annotate_sarif: false`).\n\n## Inputs\n\n| Input | Description |\n|---|---|\n| `image` | Image to scan. Required unless `sbom` is set. |\n| `sbom` | Path to a Syft JSON SBOM. Used instead of `image`. |\n| `format` | `table` (default) \\| `json` \\| `sarif` \\| `cyclonedx`. |\n| `fail_on_severity` | Grype gate: `negligible` \\| `low` \\| `medium` \\| `high` \\| `critical`. |\n| `ignore_cves` | Multiline list of CVE IDs to ignore. |\n| `rad_account_ids` | Comma-separated account IDs. Triggers RAD enrichment when set. |\n| `rad_fail_on_regression` | `critical` \\| `high` \\| `medium` \\| `low` \\| `any`. Fails the workflow if the new scan adds vulnerabilities at this severity or higher vs any deployed instance. |\n| `rad_fail_on_eol` | Set to `true` to fail the workflow if the scanned image is built on an end-of-life distro. |\n| `rad_api_url` | Override the RAD API base URL (default `https://api.rad.security`). |\n| `rad_report` | Path for the RAD enrichment JSON (default `rad-report.json`). |\n| `rad_annotate_sarif` | When `format: sarif`, inject the RAD report into the SARIF document. Default `true`. |\n\n## Outputs\n\n| Output | When set | Description |\n|---|---|---|\n| `sarif` | `format: sarif` | Path to the SARIF report. |\n| `rad_report` | `rad_account_ids` set | Path to the RAD enrichment JSON. |\n\n## Credentials\n\n`RAD_ACCESS_KEY_ID` and `RAD_SECRET_KEY` must be supplied via the workflow's `env:` block (typically from `secrets`). They are intentionally not exposed as Action inputs.\n\n## Breaking changes from v0.x\n\n- New action major version. v0.x flags `fail_on_severity`, `ignore_cves`, `image`, `format` are preserved; everything else is new.\n- Output format `table` now uses grype's native table format, not the legacy template.\n\n## License\n\nApache-2.0. Grype is © Anchore, Inc., distributed under Apache-2.0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frad-security%2Fimage-scan-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frad-security%2Fimage-scan-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frad-security%2Fimage-scan-action/lists"}