Release v2.0.0

New major version of scan action based on new Grype tool from Anchore that is much faster for scanning compared to v1.x and adds some new capabilities and more metadata about the matches.

• Significantly faster performance for scans
• New vulnerabilities output format is the JSON output from Grype directly
• Adds support for scanning directories as well as Docker containers, so you can do the same checks pre-and post-build of the container.
• Supports Automatic Code Scanning/SARIF for exposing results via your repository's Security tab.

This is a breaking change from v1.x, as indicated by the major version revision:

1. Use image input parameter Instead of image-reference
2. dockerfile-path is no longer supported and not necessary for the vulnerability scans
3. custom-policy-path is no longer supported
4. include-app-packages is no longer necessary or supported. Application packages are on by default and will receive vulnerability matches.
5. Outputs:
   1. billofmaterials is no longer output. V2 is focused on vulnerability scanning and another action may be introduced for BoM support with its own options/config.
   2. policycheck is no longer output

Release v1.0.9

Update to Anchore Engine 0.8.1

Release v1.0.8

Update to Anchore Engine 0.8.0

Release v1.0.7

Update to Anchore Engine 0.7.3

Release v1.0.6

Adds optional support for integration with GitHub code scanning.

v1.0.5 Release

Update Anchore Engine to v0.7.2

v1.0.4 Release

Update v0.7.1 (#28)

* update dependencies
* update to engine v0.7.1

Signed-off-by: Brady Todhunter <bradyt@anchore.com>

v1.0.3 Release

check if failBuild is set specifically to true, not just a value (#24)

Signed-off-by: Brady Todhunter <bradyt@anchore.com>

v1.0.2 Release

Update to v0.6.1 of anchore-engine

v1.0.1 Release

Bumps version of anchore used to v0.6.0 as well as adding an input parameter to enable overriding the Anchore inline scan version. Other updates are internal optimizations, test improvements, and code cleanup.