anchore · kzantow · Oct 4, 2024 · Jul 29, 2024 · Jul 29, 2024 · Jul 29, 2024
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,4 @@
+# force unix line endings for consistent ncc output
+*.js text eol=lf
+package.json text eol=lf
+package-lock.json text eol=lf
diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
@@ -30,7 +30,7 @@ jobs:
         if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
         uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
         with:
-          node-version: 16.x
+          node-version-file: package.json
 
       - name: Install dependencies
         if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'npm_and_yarn' }}

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -12,11 +12,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version-file: package.json
       - run: npm ci
       - run: npm run audit
       - run: npm run build
       - run: git status --porcelain
-      - run: git diff
+      - run: git diff --ws-error-highlight=all | cat -v
       - run: git diff --exit-code
 
   test:
@@ -53,22 +56,22 @@ jobs:
           path: ./
 
       - name: "Donwload Grype v0.54.0"
+        id: grype
         uses: ./download-grype # anchore/scan-action/download-grype
         with:
           grype-version: v0.54.0
 
       - name: "Check Grype version before scan-action"
-        run: grype version | egrep "^Version:.*0.54.0$"
+        run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"
 
       - name: "Scan test image"
         uses: ./
         with:
           image: "alpine:latest"
-          grype-version: v0.54.0 # set the same version to test that current Grype binary wasn't overwritten by the latest version
           fail-build: false # to prevent fail due to vuln:s on test image
 
       - name: "Check Grype version after scan-action"
-        run: grype version | egrep "^Version:.*0.54.0$"
+        run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"
 
   test-all:
     strategy:

diff --git a/README.md b/README.md
@@ -120,7 +120,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build
 The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:
 
 | Input Name          | Description                                                                                                                                                                                                                                                      | Default Value |
-| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
+|---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
 | `image`             | The image to scan                                                                                                                                                                                                                                                | N/A           |
 | `path`              | The file path to scan                                                                                                                                                                                                                                            | N/A           |
 | `sbom`              | The SBOM to scan                                                                                                                                                                                                                                                 | N/A           |
@@ -133,6 +133,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `add-cpes-if-none`  | Specify whether to autogenerate missing CPEs.                                                                                                                                                                                                                    | `false`       |
 | `by-cve`            | Specify whether to orient results by CVE rather than GHSA.                                                                                                                                                                                                       | `false`       |
 | `vex`               | Specify a list of VEX documents to consider when producing scanning results.                                                                                                                                                                                     | `false`       |
+| `cache-db`          | Cache the Grype DB in GitHub action cache and restore before checking for updates                                                                                                                                                                                | `false`       |
 | `grype-version`     | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js).                                                                                                                                                     |               |
 
 ### Action Outputs
@@ -201,13 +202,14 @@ such as [ignoring certain matches](https://github.com/anchore/grype#specifying-m
 
 ## anchore/scan-action/download-grype
 
-A sub-action to [download Grype](download-grype/action.yml).
+A sub-action to [download Grype](download-grype/action.yml) and optionally cache the Grype DB.
 
 Input parameters:
 
 | Parameter       | Description                                                                                                  | Default |
-| --------------- | ------------------------------------------------------------------------------------------------------------ | ------- |
+|-----------------|--------------------------------------------------------------------------------------------------------------|---------|
 | `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). |         |
+| `cache-db`      | Cache the Grype DB in GitHub action cache and restore before checking for updates                            | `false` |
 
 Output parameters:
 

diff --git a/action.yml b/action.yml
@@ -43,6 +43,9 @@ inputs:
   vex:
     description: "Specify a list of VEX documents to consider when producing scanning results."
     required: false
+  cache-db:
+    description: "Cache the Grype DB in GitHub action cache and restore before checking for updates"
+    required: false
 outputs:
   sarif:
     description: "Path to a SARIF report file for the image"