Seeing a real weird issue with github actions for scan-action

This could be me being entirely new to github actions, however consider the following action:

  grype:
    needs: build
    runs-on: ubuntu-latest
    steps:
      -
        name: Scan image
        uses: anchore/scan-action@v4.1.2
        id: grypescan
        with:
          registry-username: ${{ vars.DOCKERHUB_USERNAME }}
          registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
          image: ${{ env.IMAGE_NAME }}
          fail-build: false
      -
        name: upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.grypescan.outputs.sarif }}

This action runs, however it does not appear to respect the fact that I have set fail-build to false. It doesn’t seem to respect anything. I feel like I’m doing something way wrong. Here’s the output:

Warning: Unexpected input(s) 'registry-username', 'registry-password', valid inputs are ['image', 'path', 'sbom', 'fail-build', 'output-format', 'severity-cutoff', 'only-fixed', 'add-cpes-if-none', 'by-cve', 'grype-version', 'vex']
Run anchore/scan-action@v4.1.2
  with:
    registry-username: modusmundi
    registry-password: ***
    image: modusmundi/testingscap:latest
    fail-build: false
    output-format: sarif
    severity-cutoff: medium
    only-fixed: false
    add-cpes-if-none: false
    by-cve: false
  env:
    REGISTRY: docker.io
    IMAGE_NAME: modusmundi/testingscap:latest
/usr/bin/sh /home/runner/work/_temp/30bc3b5b-920a-4713-8c7c-7286ced65a11 -d -b /home/runner/work/_temp/30bc3b5b-920a-4713-8c7c-7286ced65a11_grype v0.80.0
[info] checking github for release tag='v0.80.0' 
[debug] http_download(url=https://github.com/anchore/grype/releases/v0.80.0) 
[info] fetching release script for tag='v0.80.0' 
[debug] http_download(url=https://raw.githubusercontent.com/anchore/grype/v0.80.0/install.sh) 
[info] checking github for release tag='v0.80.0' 
[debug] http_download(url=https://github.com/anchore/grype/releases/v0.80.0) 
[info] using release tag='v0.80.0' version='0.80.0' os='linux' arch='amd64' 
[debug] downloading files into /tmp/tmp.8dFny5tNmB 
[debug] http_download(url=https://github.com/anchore/grype/releases/download/v0.80.0/grype_0.80.0_checksums.txt) 
[debug] http_download(url=https://github.com/anchore/grype/releases/download/v0.80.0/grype_0.80.0_linux_amd64.tar.gz) 
[info] installed /home/runner/work/_temp/30bc3b5b-920a-4713-8c7c-7286ced65a11_grype/grype 
grype output...
  Executing: grype -o sarif --fail-on medium modusmundi/testingscap:latest
  discovered vulnerabilities at or above the severity threshold

What I’m trying to achieve here is to get a current enumeration of issues in the build, not stop the build outright. I might want to do that in the future, but for now this is a POC and me trying to learn how these items work. Right now it honestly feels like it would be less frustrating to just download grype into a runner, execute grype with the options I want, and get the output that way.

Some help understanding what is going on here would be tremendous. Thanks in advance.

Thanks @RDeaton for the report!

It’s not you. I set this up locally to check our latest release and there seems to be an issue in the action with the two options of severity-cutoff and fail-build not respecting each other. I do not think there should be a default for severity-cutoff which is what’s passing --fail-on medium to the program.

If fail-build is false then it shouldn’t matter what is passed to severity-cutoff, but the program is not behaving in this way.

The registry-username and registry-password are correctly working, but need to be added as expected inputs in the next release. The warning is a red hearing here.

A second bug was also discovered here with the Sarif output since I tested an image without a medium severity to fail on.

Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
  Error: Resource not accessible by integration

If there isn’t a relevant github issue for this would you file one?

I can take a look again when I have some extra cycles and get a new build released that should work in the way you’re describing - apologies for the bugs here.

I’ll get this done today, thanks a ton for validating that I’m not going batty. I’ve got plenty of other things to mess with for this build out so I can come back to this, or at least I can do something in actions around just getting a hold of the latest grype binary and running it that way.