[deps]: Update anchore/scan-action action to v7

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
anchore/scan-action	action	major	v6.2.0 -> v7.0.2	v7.1.0

---

Release Notes

anchore/scan-action (anchore/scan-action)

v7.0.2

Compare Source

New in scan-action v7.0.2

• chore(deps): update Grype to v0.101.1 (#​532) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v7.0.1

Compare Source

scan-action v7.0.1

v7.0.0

Compare Source

New in scan-action v7.0.0

• chore(deps): update Grype to v0.100.0 (#​516)

v6.5.1

Compare Source

New in scan-action v6.5.1

• Update Grype to v0.97.1 (#​495)

v6.5.0

Compare Source

New in scan-action v6.5.0

• Update Grype to v0.96.1 (#​493) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]
• fix: output stderr for nonzero exit code (#​491) [kzantow]

v6.4.0

Compare Source

New in scan-action v6.4.0

• Update Grype to v0.95.0 (#​486)
• chore(deps-dev): bump eslint from 9.30.0 to 9.30.1 (#​485)
• chore(deps-dev): bump lint-staged from 16.1.0 to 16.1.2 (#​476)
• chore(deps-dev): bump jest from 30.0.0 to 30.0.3 (#​481)
• chore(deps-dev): bump prettier from 3.5.3 to 3.6.2 (#​483)
• chore(deps-dev): bump eslint from 9.28.0 to 9.30.0 (#​484)

v6.3.0

Compare Source

New in scan-action v6.3.0

• Update Grype to v0.94.0 (#​470)

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.04%. Comparing base (d9c9848) to head (46e7494).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #230   +/-   ##
=====================================
  Coverage   7.04%   7.04%           
=====================================
  Files         49      49           
  Lines       1818    1818           
  Branches      99      99           
=====================================
  Hits         128     128           
  Misses      1685    1685           
  Partials       5       5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[claude]

Claude finished @renovate[bot]'s task —— View job

---

PR Review: Update anchore/scan-action to v7

Summary of Changes

This PR updates the anchore/scan-action GitHub Action from v6.2.0 to v7.0.2 in the Docker build workflow. This is a major version update that primarily updates the underlying Grype vulnerability scanner from v0.x to v0.100.0+.

Changed file: .github/workflows/build.yml:136

• Updated action reference from 2c901ab... (v6.2.0) to a5605eb... (v7.0.2)
• All action inputs remain unchanged (image, fail-build, output-format)

---

Critical Issues

None identified. The update appears to be a straightforward version bump with no breaking changes to the action's API.

---

Security & Compatibility Analysis

✅ Action API Compatibility

The action inputs used in the workflow remain compatible:

• image: Still supported (required input)
• fail-build: Still supported (boolean, defaults to false)
• output-format: Still supported (sarif format is valid)

The output sarif used in line 145 is also still available.

🔒 Security Improvements

Positive changes in v7.x:

• Grype v0.100.0+: Major update to the vulnerability scanner engine
  • Likely includes updated vulnerability database schema
  • Improved detection capabilities for newer CVEs
  • Bug fixes from v6.3.0 through v7.0.2 (stderr output for nonzero exit codes added in v6.5.0)

Commit SHA verification: The new commit SHA a5605eb0943e46279cb4fbd9d44297355d3520ab should be verified to match the official v7.0.2 release tag.

⚠️ Potential Considerations

1. Grype v0.100.0 is a major version update: This may result in:

   • Different vulnerability findings (potentially more detections)
   • Changes to vulnerability severity ratings
   • Updates to how CVEs are matched and reported

2. SARIF output format: Should remain stable, but verify that:

   • The SARIF schema version hasn't changed in a breaking way
   • GitHub Code Scanning still accepts the output format

3. Performance: Major scanner updates may have performance implications (faster or slower scans)

4. False positives/negatives: Updated scanner may change the detection behavior, requiring review of scan results

---

Suggested Improvements

1. Monitor first scan results: After merging, closely review the security scan results to ensure:

   • No unexpected new vulnerabilities are flagged
   • No legitimate vulnerabilities are missed
   • SARIF upload to GitHub Code Scanning succeeds

2. Consider pinning behavior: The current approach of using commit SHA with version comment is good practice. Consider:

   • Verifying the SHA matches the official release
   • Documenting any scan result differences in internal security tracking

3. Update schedule: Since v7.1.0 is already pending (as noted in the PR description), consider:

   • Reviewing the v7.1.0 changelog when available
   • Ensuring the biweekly update schedule aligns with team's capacity to review security changes

---

Good Practices Observed

• ✅ Using commit SHA pinning for GitHub Actions
• ✅ Including version number in comments for clarity
• ✅ Automated dependency updates via Renovate
• ✅ Proper permissions scoping (security-events: write)
• ✅ SARIF results uploaded to GitHub Security tab

---

Action Items

• Merge and monitor: Approve and merge this PR, then monitor the first scan results on the next main branch build
• Verify SHA: Optionally verify that a5605eb0943e46279cb4fbd9d44297355d3520ab matches the official v7.0.2 release
• Document changes: If scan results differ significantly, document the behavioral changes for the team
• Plan for v7.1.0: Prepare to review the next update (v7.1.0) when Renovate creates that PR

---

Verdict

✅ APPROVE - This is a low-risk dependency update with no API-breaking changes. The major version bump is primarily due to the underlying Grype scanner update, which should improve security scanning capabilities. The workflow configuration requires no changes.

[AmyLGalles]

LGTM

[github-actions]

Checkmarx One – Scan Summary & Details – e6ff9aee-e4bf-4f36-bf77-a13d8fade8e3

Great job! No new security vulnerabilities introduced in this pull request