anchore
Can't see findings in console?
Currently the only ways to view findings seem
- Enable Github Advanced Security + SARIF (need to pay for private repos)
- Cat the JSON (with ALL vulns; unusable)
Would it be possible to view the table output? With severity threshold?
@nick-doyle-slalom this is definitely something that we could do. I didn't know the detail about SARIF and private repos; I can definitely see the motivation for this!
To clarify: in the case you are using the table output, it would probably make the most sense to just print it to the console rather than providing a file where you would have to add a second step to cat it, would you agree?
A quick follow-up @nick-doyle-slalom - I was experimenting with pulling this information out of the SARIF and there's a workaround that might give you enough information until this gets implemented, add a step to cat the sarif into jq, like this:
- run: cat ${{ steps.scan-build-sbom.outputs.sarif }} | jq -r '.runs[0].tool.driver.rules[].shortDescription.text'
You'll get a list of CVEs, severities, and packages something like this:
CVE-2022-0686 critical vulnerability for url-parse package
CVE-2022-0691 critical vulnerability for url-parse package
GHSA-8v38-pw62-9cw2 medium vulnerability for url-parse package
GHSA-hgjh-723h-mx2j critical vulnerability for url-parse package
This clearly isn't as good as having the table output, but might be at least a temporary workaround for you. Hope that helps!
@kzantow what about https://github.com/anchore/scan-action/pull/135 ? That seems to address this issue.
