anchore · kema-dev · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
diff --git a/README.md b/README.md
@@ -123,6 +123,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 |---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
 | `image`             | The image to scan                                                                                                                                                                                                                                                | N/A           |
 | `path`              | The file path to scan                                                                                                                                                                                                                                            | N/A           |
+| `config-file-path`  | The path to the Grype configuration file                                                                                                                                                                                                                         | N/A           |
 | `sbom`              | The SBOM to scan                                                                                                                                                                                                                                                 | N/A           |
 | `registry-username` | The registry username to use when authenticating to an external registry                                                                                                                                                                                         |               |
 | `registry-password` | The registry password to use when authenticating to an external registry                                                                                                                                                                                         |               |

diff --git a/action.yml b/action.yml
@@ -10,6 +10,9 @@ inputs:
   path:
     description: 'The path to scan. This option is mutually exclusive with "image" and "sbom".'
     required: false
+  config-file-path:
+    description: "The path to the Grype configuration file."
+    required: false
   sbom:
     description: 'The SBOM file to scan. This option is mutually exclusive with "path" and "image".'
     required: false
@@ -22,7 +25,7 @@ inputs:
     required: false
     default: "sarif"
   output-file:
-    description: 'The file to output the grype scan results to'
+    description: "The file to output the grype scan results to"
     required: false
   severity-cutoff:
     description: 'Optionally specify the minimum vulnerability severity to trigger an "error" level ACS result.  Valid choices are "negligible", "low", "medium", "high" and "critical".  Any vulnerability with a severity less than this value will lead to a "warning" result.  Default is "medium".'
@@ -39,7 +42,7 @@ inputs:
   by-cve:
     description: "Specify whether to orient results by CVE rather than GHSA.  Default is false."
     required: false
-    default: "false"  
+    default: "false"
   grype-version:
     description: "A specific version of Grype to install"
     required: false

diff --git a/dist/index.js b/dist/index.js
@@ -142,6 +142,7 @@ async function run() {
     const source = sourceInput();
     const failBuild = core.getInput("fail-build") || "true";
     const outputFormat = core.getInput("output-format") || "sarif";
+    const configFilePath = core.getInput("config-file-path") || "";
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
@@ -156,6 +157,7 @@ async function run() {
       onlyFixed,
       outputFile,
       outputFormat,
+      configFilePath,
       addCpesIfNone,
       byCve,
       vex,
@@ -309,6 +311,7 @@ async function runScan({
   onlyFixed,
   outputFile,
   outputFormat,
+  configFilePath,
   addCpesIfNone,
   byCve,
   vex,
@@ -365,6 +368,15 @@ async function runScan({
   }
   cmdArgs.push("--file", outputFile);
 
+  if (configFilePath !== "") {
+    if (!fs.existsSync(configFilePath)) {
+      throw new Error(
+        `Config file ${configFilePath} does not exist or is not accessible`,
+      );
+    }
+    cmdArgs.push("--config", configFilePath);
+  }
+
   if (
     !SEVERITY_LIST.some(
       (item) =>
@@ -404,6 +416,7 @@ async function runScan({
   core.debug("Add Missing CPEs: " + addCpesIfNone);
   core.debug("Orient by CVE: " + byCve);
   core.debug("Output Format: " + outputFormat);
+  core.debug("Config File Path: " + (configFilePath || "none"));
 
   core.debug("Creating options for GRYPE analyzer");
 

diff --git a/index.js b/index.js
@@ -128,6 +128,7 @@ async function run() {
     const source = sourceInput();
     const failBuild = core.getInput("fail-build") || "true";
     const outputFormat = core.getInput("output-format") || "sarif";
+    const configFilePath = core.getInput("config-file-path") || "";
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
@@ -142,6 +143,7 @@ async function run() {
       onlyFixed,
       outputFile,
       outputFormat,
+      configFilePath,
       addCpesIfNone,
       byCve,
       vex,
@@ -295,6 +297,7 @@ async function runScan({
   onlyFixed,
   outputFile,
   outputFormat,
+  configFilePath,
   addCpesIfNone,
   byCve,
   vex,
@@ -351,6 +354,15 @@ async function runScan({
   }
   cmdArgs.push("--file", outputFile);
 
+  if (configFilePath !== "") {
+    if (!fs.existsSync(configFilePath)) {
+      throw new Error(
+        `Config file ${configFilePath} does not exist or is not accessible`,
+      );
+    }
+    cmdArgs.push("--config", configFilePath);
+  }
+
   if (
     !SEVERITY_LIST.some(
       (item) =>
@@ -390,6 +402,7 @@ async function runScan({
   core.debug("Add Missing CPEs: " + addCpesIfNone);
   core.debug("Orient by CVE: " + byCve);
   core.debug("Output Format: " + outputFormat);
+  core.debug("Config File Path: " + (configFilePath || "none"));
 
   core.debug("Creating options for GRYPE analyzer");
 

diff --git a/tests/grype_command.test.js b/tests/grype_command.test.js
@@ -99,6 +99,32 @@ describe("Grype command args", () => {
     ]);
   });
 
+  it("is invoked with config file", async () => {
+    const args = await mockRun({
+      image: "asdf",
+      "fail-build": "false",
+      "output-file": "the-output-file",
+      "output-format": "json",
+      "severity-cutoff": "low",
+      version: "0.6.0",
+      "only-fixed": "false",
+      "add-cpes-if-none": "false",
+      "by-cve": "false",
+      "config-file-path": "path/to/config",
+    });
+    expect(args).toEqual([
+      "-o",
+      "json",
+      "--file",
+      "the-output-file",
+      "--config",
+      "path/to/config",
+      "--fail-on",
+      "low",
+      "asdf",
+    ]);
+  });
+
   it("adds missing CPEs if requested", async () => {
     const args = await mockRun({
       image: "asdf",