GitHub Action failing with SARIF upload

I am using the anchore/scan-action@v3 action to output a SARIF report but when it comes to uploading the report in the github/codeql-action/upload-sarif@v3 step, I get an error:

Error: Invalid SARIF. JSON syntax error: Unexpected end of JSON input

It seems like anchore/scan-action@v3 might be producing a bad SARIF file?

  grype:
    permissions:
      actions: read
      contents: read
      security-events: write

    runs-on: ubuntu-22.04
    needs: [syft]
    if: needs.syft.result == 'success'

    steps:
      - name: Download SBOM
        uses: actions/download-artifact@v4
        with:
          name: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          path: /tmp

      - name: Scan SBOM
        uses: anchore/scan-action@v3
        id: scan
        with:
          sbom: poke-cli-sbom-${{ env.VERSION_NUMBER }}.spdx.json
          fail-build: false
          output-format: sarif
          severity-cutoff: critical

      - name: Upload SARIF Report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

Hi @digitalghost-dev! Thanks for the report. anchore/scan-action@v3 is a few versions behind at this point - we actually released v5 recently. Are you able to upgrade? Releases · anchore/scan-action · GitHub

If there are changes that prevent you from upgrading, or if this still happens on the latest release, please let us know!

Also, we are in the process of releasing a minor version of v5 right now, so if you upgrade later today or tomorrow you’ll get a newer syft, grype, and scan-action than if you do it right this second.

We just released 5.0.1: Release v5.0.1 · anchore/scan-action · GitHub

Ohh I didn’t pay attention to the releases. I was just looking at the examples in the README.md and it still says v3.

I updated the step to v5 and it’s still showing the same error. Here is a screenshot of the steps:

image1116×532 68.5 KB

Thanks @digitalghost-dev for re-testing with the recent release and getting back to us so quickly!

We will investigate and see what we can find out. (cc @kzantow since he knows scan-action a lot better than I do.)

Hey @digitalghost-dev, since the action logs are public, I took a look and it looks like the SBOM file isn’t found: Docker Image CI · digitalghost-dev/poke-cli@fc3dc5c · GitHub

I’d suggest getting an absolute path to the SBOM and using that in the Grype scan step, if possible. I believe, when you restore artifacts there they are output to a directory matching the name of the artifact, not in the working dir.

Also, it sure looks like Grype should be failing in this case, but I assume it isn’t failing because the fail-build: false is set and the action is only checking the exit code and failing when fail-build: true is set, and it is not validating that an appropriate output was even created. I’ve added an issue to scan-action to fail the build appropriately when configuration is incorrect / output does not succeed: Action continues on non-vulnerability failures · Issue #390 · anchore/scan-action · GitHub

Dang, did not see that error that the file could not be found. I added an absolute path to it and it’s working

Thanks for helping see what I couldn’t and thanks for the issue submission! @kzantow

It was not at all obvious, since the previous step passed! We should definitely get that fixed up!