Merge branch 'main' into dependabot/github_actions/security-actions/s…

…can-docker-image/anchore/scan-action-4.1.2
Kong · Sep 6, 2024 · 6911297 · 6911297
2 parents d013734 + 88bf74b
commit 6911297
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 15 deletions.
diff --git a/code-check-actions/lua-lint/action.yml b/code-check-actions/lua-lint/action.yml
@@ -14,6 +14,10 @@ inputs:
     description: 'Action itself will fail if linting fails'
     required: false
     default: false
+  print_results:
+    description: 'Print Luacheck results'
+    required: false
+    default: 'false'
 
 runs:
   using: composite
@@ -34,10 +38,11 @@ runs:
           luacheck_${{github.sha}}.xml
         if-no-files-found: warn
 
-#     - name: Print Luacheck results
-#       shell: bash
-#       run: |
-#         cat luacheck_${{github.sha}}.xml
+    - name: Print Luacheck results
+      shell: bash
+      run: |
+        cat luacheck_${{github.sha}}.xml
+      if: inputs.print_results != 'false'
 
     # when using the regular GITHUB_TOKEN, the check-run created by this step will be assigned to a
     # random workflow in the GH UI. to prevent this, we can force the check-run to be created in a separate

diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml
@@ -47,7 +47,7 @@ inputs:
     - 'false'
   skip_grype_db_cache:
     required: false
-    default: false
+    default: true
     description: 'Skip the caching of the Grype DB during the SBOM (Software Bill of Materials) scanning process'
     type: choice
     options:
@@ -90,7 +90,7 @@ runs:
 
     # Must upload artifact for output file parameter to have effect
     - name: Generate SPDX SBOM Using Syft
-      uses: anchore/sbom-action@v0.17.1
+      uses: anchore/sbom-action@v0.17.2
       id: sbom_spdx
       with:
         config: ${{ inputs.config }}
@@ -105,7 +105,7 @@ runs:
         github-token: ${{ inputs.github-token }}
 
     - name: Generate CycloneDX SBOM Using Syft
-      uses: anchore/sbom-action@v0.17.1
+      uses: anchore/sbom-action@v0.17.2
       id: sbom_cyclonedx
       with:
         config: ${{ inputs.config }}
@@ -127,7 +127,7 @@ runs:
         fail: true
 
     - name: Download Grype
-      uses: anchore/scan-action/download-grype@v4.1.1
+      uses: anchore/scan-action/download-grype@v4.1.2
 
     # Skip Cache Restoration: If skip_grype_db_cache is true, skip the restoration of the cache.
     # Check for any existing cache to reuse
@@ -203,7 +203,7 @@ runs:
 
     # Don't fail during report generation
     - name: Vulnerability analysis of SBOM
-      uses: anchore/scan-action@v4.1.1
+      uses: anchore/scan-action@v4.1.2
       id: grype_analysis_sarif
       if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} # Run only if DB is available on the runner }}
       with:
@@ -216,7 +216,7 @@ runs:
     # Don't fail during report generation
     # JSON format will report  any ignored rules
     - name: Vulnerability analysis of SBOM
-      uses: anchore/scan-action@v4.1.1
+      uses: anchore/scan-action@v4.1.2
       id: grype_analysis_json
       if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} # Run only if DB is available on the runner}}
       with:
@@ -268,7 +268,7 @@ runs:
     # Notify grype quick scan results in table format
     # Table format will supress any specified ignore rules
     - name: Inspect Vulnerability analysis of SBOM
-      uses: anchore/scan-action@v4.1.1
+      uses: anchore/scan-action@v4.1.2
       if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }}
       with:
         sbom: ${{ steps.meta.outputs.sbom_spdx_file }}

diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml
@@ -53,7 +53,7 @@ inputs:
     - 'false'
   skip_grype_db_cache:
     required: false
-    default: false
+    default: true
     description: 'Skip grype db caching'
     type: choice
     options:
@@ -219,7 +219,7 @@ runs:
         add-cpes-if-none: true
         severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }}
       env:
-        GRYPE_DB_AUTO_UPDATE: false 
+        GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above
 
     # Don't fail during report generation
     # JSON format will report  any ignored rules
@@ -234,7 +234,7 @@ runs:
         add-cpes-if-none: true
         severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }}
       env:
-        GRYPE_DB_AUTO_UPDATE: false # Use grype db cache from grype step above
+        GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above
 
     - name: Check vulnerability analysis report existence
       if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} # Run only if DB is available on the runner
@@ -285,7 +285,7 @@ runs:
         add-cpes-if-none: true
         severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }}
       env:
-        GRYPE_DB_AUTO_UPDATE: false # Use grype db cache from grype step above
+        GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above
 
     - name: Check docker OCI tar existence
       if: ${{ steps.meta.outputs.scan_image != '' }}