build: break YAML to see if grype throws an error.

rouilj · rouilj · commit 98d6503a8668 · 2023-09-24T23:54:18.000-04:00
A debug run of anchore is showing the config as:

  configpath: /home/runner/work/roundup/roundup/.grype.yaml

when running:

  Executing: grype -vv -o sarif --fail-on medium localbuild/testimage:latest

Try breaking the yaml to see if it is actually being loaded.

[skip travis]
diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml
@@ -42,8 +42,6 @@ jobs:
       run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
     - name: List the Docker image
       run: docker image ls
-    - name: copy grype.yaml into $home
-      run: cp .grype.yaml $HOME/
     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
       uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6
       id: scan
diff --git a/.grype.yaml b/.grype.yaml
@@ -1,5 +1,5 @@
 ignore:
-  - vulnerability: CVE-2018-20225
+  - vlnerability: CVE-2018-20225
     fix-state: not-fixed
   - vulnerability: CVE-2018-20225-pip
-    fix-state: not-fixed
+  fix-state: not-fixed
