fix: replace anchore/scan-action with manual grype install to fix stale DB

mbologna · claude · mbologna · commit a8471deca23d · 2026-03-18T11:27:50.000+01:00
Root cause: anchore/scan-action@v4 internally uses actions/cache to restore
the Grype vulnerability DB. This cache restore happens *inside* the action,
after our "Clear stale Grype DB cache" step had already run. As a result, the
stale DB (built &gt;5 days ago) was always restored before grype executed, causing:

  db could not be loaded: the vulnerability database was built 1 week ago
  (max allowed age is 5 days)

With no DB available, grype produced no SARIF output, which then caused a
second failure at the upload step:

  Invalid SARIF. JSON syntax error: Unexpected end of JSON input

Fix: drop anchore/scan-action@v4 entirely and replace with three explicit steps:
1. Install grype via the official install script
2. Run `grype db update` to force a fresh DB download (no cache involved)
3. Run grype manually, writing SARIF directly to grype-results.sarif

This also eliminates the now-unnecessary "Move Grype results" step, which only
existed to rename the action's hardcoded output filename.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml
@@ -178,30 +178,20 @@ jobs:
           severity: CRITICAL,HIGH,MEDIUM
           timeout: 10m
 
-      - name: Clear stale Grype DB cache
+      - name: Install Grype
         if: matrix.scanner == 'grype'
-        run: rm -rf ~/.cache/grype/db
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 
-      - name: Run Grype vulnerability scanner
+      - name: Update Grype DB
         if: matrix.scanner == 'grype'
-        uses: anchore/scan-action@v4
-        continue-on-error: true
-        with:
-          image: ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:latest
-          fail-build: false
-          severity-cutoff: high
-          output-format: sarif
+        run: grype db update
 
-      - name: Move Grype results
+      - name: Run Grype vulnerability scanner
         if: matrix.scanner == 'grype'
         continue-on-error: true
         run: |
-          if [ -f results.sarif ]; then
-            mv results.sarif grype-results.sarif
-          else
-            echo "Grype results file not found"
-            exit 1
-          fi
+          grype "${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:latest" \
+            -o sarif > grype-results.sarif
 
       - name: Upload SARIF to GitHub Security
         if: always() && hashFiles(format('{0}-results.sarif', matrix.scanner)) != ''
