Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v8](gha): Bump anchore/scan-action from 5 to 6 in the dependencies group #3335

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 16, 2024

Bumps the dependencies group with 1 update: anchore/scan-action.

Updates anchore/scan-action from 5 to 6

Release notes

Sourced from anchore/scan-action's releases.

v6.0.0

New in scan-action v6.0.0

Major Change Note

  • feat: add output-file option, default to random directory output in temp (#346) [kzantow]

Check the above PR for details on how migrating might affect current configurations and usages

Other Changes

v5.3.0

New in scan-action v5.3.0

v5.2.1

New in scan-action v5.2.1

v5.2.0

New in scan-action v5.2.0

v5.1.0

New in scan-action v5.1.0

v5.0.1

New in scan-action v5.0.1

Changelog

Sourced from anchore/scan-action's changelog.

Release Notes

Version 2.0.2 - 2020-11-11

Version 2.0.1 - 2020-02-11

Fixes:

  • Removes unnecessary constraint in deduplication for SARIF reporting
  • Allows defining and referencing the location of the SARIF report file
  • Fixes multiple instances where undefined items in the reporting would break scanning

Version 2.0.0 - 2020-30-09

2.0.0 is a new major version of scan action based on the new Grype tool from Anchore. It is much faster for scanning compared to v1.x of the action and adds some new capabilities, including directory scanning as well as container image scanning, and also has more metadata about the vulnerability matches than previous versions for more transparency on the matching process.

Improvements and Changes:

  • Significantly faster performance for scans
  • New vulnerabilities output format is the JSON output from Grype directly
  • Adds support for scanning directories as well as Docker containers, so you can do the same checks pre-and post-build of the container.
  • Supports Automatic Code Scanning/SARIF for exposing results via your repository's Security tab.
  • Updated the default branch from master to main

NOTE: This is a breaking change from v1.x, as indicated by the major version change. We strongly recommend using a @​v2 or specific version instead of @​main

Breaking Changes for v2:

  • Inputs:
    • Changed image-reference to image (required)
    • dockerfile-path is no longer supported and not necessary for the vulnerability scans
    • custom-policy-path is no longer supported
    • include-app-packages is no longer necessary or supported. Application packages are on by default and will receive vulnerability matches.
  • Outputs:
    • billofmaterials is no longer output. V2 is focused on vulnerability scanning and another action may be introduced for BoM support with its own options/config.
    • policycheck is no longer output
Commits
  • abae793 chore(deps): update Grype to v0.86.1 (#416)
  • f02232c chore: exclude dev-deps from release drafter (#415)
  • 763018a feat: add support for cyclonedx and cyclonedx-json output-formats (#396)
  • e374579 chore(deps-dev): bump lint-staged from 15.2.10 to 15.2.11 (#414)
  • e90bc67 chore(deps): bump @​actions/cache from 3.3.0 to 4.0.0 (#412)
  • 028cd8f feat: add output-file option, default to random directory output in temp (#346)
  • 6e00665 chore(deps): update Grype to v0.86.0 (#413)
  • 15fee38 chore(deps-dev): bump eslint from 9.15.0 to 9.16.0 (#410)
  • c4c24ec chore(deps-dev): bump prettier from 3.3.3 to 3.4.2 (#411)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dependencies group with 1 update: [anchore/scan-action](https://github.com/anchore/scan-action).


Updates `anchore/scan-action` from 5 to 6
- [Release notes](https://github.com/anchore/scan-action/releases)
- [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md)
- [Commits](anchore/scan-action@v5...v6)

---
updated-dependencies:
- dependency-name: anchore/scan-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 16, 2024
Copy link
Contributor

@joaopapereira joaopapereira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joaopapereira joaopapereira merged commit 6ddf111 into v8 Dec 18, 2024
18 of 19 checks passed
@joaopapereira joaopapereira deleted the dependabot/github_actions/v8/dependencies-18d8a107a2 branch December 18, 2024 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant