Annotations support

[MPV]

Hi,
Would you consider adding support for Annotations?

See for comparison:

• https://github.com/crazy-max/ghaction-container-scan#github-annotations

[kzantow]

Hi @MPV, apologies for the delay getting back to you on this issue.

We talked about this on our livestream today, but it was a little unclear what you were hoping to accomplish, so I thought I would get a little more information and suggest something that you could do today, based on a few assumptions.

The GitHub annotations support specifying a file and line, but Grype does not capture line numbers where packages were found. It does capture files, so it would be possible to associate a vulnerability in the list to a file, but it seems like you may have just been looking for a way to show the vulnerability report in a more convenient location. If that's the case, the GitHub summary is a pretty good way to go. You could store the table output to a file, and include it in the top-level workflow like this:

      - uses: anchore/scan-action@main
        with:
          image: alpine:3.15
          fail-build: false
          output-format: table
        env:
          GRYPE_FILE: vuln-report.out

      - run: |
          VULN_REPORT="$(cat vuln-report.out)"
          printf "# Vulnerability Report Summary\n<pre>$VULN_REPORT</pre>" > $GITHUB_STEP_SUMMARY

... which results in the table output being printed right at the summary view of the workflow: