Errors not being printed to log, even in actions debug mode

[kevinleturc]

I just tried to give a VEX documents to the scan-action and it does not have the same behavior than the command line.

So far I encounter two issues when using VEX documents with the scan-action:

• the output file is empty
• the action could fail with Failed minimum severity level. Found vulnerabilities with level 'high' or higher message whereas no high or higher vuln are found.

Note that running the same command than the action is producing the expected result.

My GitHub workflow is as below and can be found there with additional information: kevinleturc/github-action-issues#1

    steps:
      - name: 'Scan Docker image with Grype'
        uses: anchore/scan-action@v6
        with:
          image: alpine:3.22
          severity-cutoff: high
          by-cve: true
          vex: vex.json
          output-format: table
          output-file: grype-alpine-vex.txt
          grype-version: v0.96.0

      - name: Print result file
        if: always()
        run: |
          echo "Content of Grype output file with VEX file:"
          cat grype-alpine-vex.txt

[kzantow]

Hey @kevinleturc -- it looks like the vex option works fine when you check out the repository, however your test doesn't include an actions/checkout step, so there is no vex document available, Grype isn't finding it, and there's an error returned.

So, to fix your issue, just add an actions/checkout step (you can see an example here).

There is a problem that this error should have been printed to the logs, but it isn't, even if I select actions debug logging. I'm going to dig in to why the error log isn't showing up properly, which would have probably made it obvious that you missed a checkout step.

[kevinleturc]

Hello @kzantow,

Thanks for your findings, and sorry to have bothered for such a dummy setup error.

[kzantow]

You uncovered an issue, though -- errors should be printed to the workflow log, it wasn't obvious what was going on at all!