-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG - fail-build behavior takes on severity-cutoff unintentionally #378
Comments
@spiffcs Hey there, is there any plan to fix this in the near future? I'm getting back to this part of my set of actions and I'm looking to understand if I should just be building out my own workflow to run grype to meet my needs this point. It's totally valid if this is low priority for you all, just trying to figure out my path forward. |
Hi @RLI-Rdeaton I just had a quick look here and I am not able to reproduce, so I feel like I must be missing something. Would you mind taking a look and seeing what's different in the way I'm using the action? Here's what I did to test:
When I pass Can you help me understand what I'm missing? @spiffcs what testing did you do that I might have missed? If it turns out I'm using the action differently than you all were, I'll update my workflow and try to get a public run that reproduces the bug to link here. Thanks! |
I realized in your sample you were on an older version than I am, so I rolled back to check that:
So I still don't understand what I'm missing. |
To answer your question directly @RLI-Rdeaton I'm happy to fix this fairly promptly if I can reproduce it and understand it 😄 |
@willmurphyscode I set up the action locally on a local private/personal repository
|
Just commenting back here I do still see this issue, but don't have the bandwidth at the moment to try and dig in and fix:
Here is my config which was originally configured to check the
|
So looking at this again I think the crux of my issue was 'fail-build: false' still triggers warnings because 'severity-cutoff: medium' is set, and there's no way to disable severity-cutoff. I ended up just writing something to pull down grype and scan for me so this is moot at this point, but I found the behavior confusing for my use case. If that's just the way the action is expected to work, that's fine, and I guess it's on me. This can be closed if the behavior for severity-cutoff won't change. |
@RLI-Rdeaton I agree that this is confusing behavior. I think we should really have 2 different inputs:
I think what's really going on here is that you expected ( quite reasonably! ) that passing We have some discussion over on discourse about making Grype's output less noisy with regard to severity cutoffs and the like. I'll keep this issue open to track cleaning up the logging behavior at least, so Grype doesn't log like it's failing the build. Maybe something like |
Also having a mechanism to disable the severity cutoff (As none exists, looking in the code real quick) would be good too. E.G.: If fail-on-severity isn't set, or is set to "none", don't fail and just report. This isn't pressing anymore, but that way someone who may just be running grype for visibility instead of a gate isn't hit with warnings unnecessarily. |
Developer notes: this issue now tracks two changes to
|
Consider the following action:
This action runs, however it does not appear to respect the fact that I have set fail-build to false. Per discussion with @spiffcs this appears to be a few different bugs (https://anchorecommunity.discourse.group/t/seeing-a-real-weird-issue-with-github-actions-for-scan-action/156/2). Here's the output:
I'm reporting it so it does not get lost- what I would expect here is to be able to not fail a build and get a full outlay of current vulns in the build.
The text was updated successfully, but these errors were encountered: