ci: use machine readabla

kenhys · kenhys · commit 17d9f80480ca · 2026-01-08T18:05:46.000+09:00
In the previous versions, ad-hoc and broken Markdown
was rendered in some cases.
Use --output json and convert it to GFM.

* (filter) ignore Negligible in .vulnerability.severity
* Show fixed version from .vulnerability.fix.versions[0] or
  (wont-fix) or empty in FIXED IN column
* Show deb or gem from .artifact.type in TYPE column
* Show CVE from .vulnerability.id in VULNERABILITY column

Signed-off-by: Kentaro Hayashi &lt;hayashi@clear-code.com&gt;
diff --git a/.github/workflows/scan-images.yml b/.github/workflows/scan-images.yml
@@ -38,11 +38,20 @@ jobs:
           # v1.19.1-debian-amd64
           IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
           echo "# Scan Fluentd image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix --output json | jq --raw-output '
+            (["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
+            (["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
+            (.matches[]
+            | select(.vulnerability.severity != "Negligible")
+            | "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
+            ' >> $GITHUB_STEP_SUMMARY
           echo "# Scan Fluentd image with grype (details)" >> $GITHUB_STEP_SUMMARY
-          echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
-          echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --output json | jq --raw-output '
+            (["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
+            (["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
+            (.matches[]
+            | "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
+            ' >> $GITHUB_STEP_SUMMARY
   ruby:
     name: Scan Ruby image with grype
     strategy:
@@ -53,11 +62,20 @@ jobs:
         run: |
           docker pull ruby:3.4-slim
           echo "# Scan Ruby image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest ruby:3.4-slim --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest ruby:3.4-slim --ignore-states wont-fix --format json | jq --raw-output '
+            (["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
+            (["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
+            (.matches[]
+            | select(.vulnerability.severity != "Negligible")
+            | "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
+            ' >> $GITHUB_STEP_SUMMARY
           echo "# Scan Ruby image with grype (details)" >> $GITHUB_STEP_SUMMARY
-          echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
-          echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest ruby:3.4-slim | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest ruby:3.4-slim --output json | jq --raw-output '
+            (["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
+            (["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
+            (.matches[]
+            | "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
+            ' >> $GITHUB_STEP_SUMMARY
   debian:
     name: Scan debian image with grype
     strategy:
@@ -68,8 +86,17 @@ jobs:
         run: |
           docker pull debian:trixie
           echo "# Scan debian image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix --output json | jq --raw-output '
+            (["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
+            (["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
+            (.matches[]
+            | select(.vulnerability.severity != "Negligible")
+            | "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
+            ' >> $GITHUB_STEP_SUMMARY
           echo "# Scan debian image with grype (details)" >> $GITHUB_STEP_SUMMARY
-          echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
-          echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest debian:trixie | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest debian:trixie --output json | jq --raw-output '
+            (["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
+            (["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
+            (.matches[]
+            | "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
+            ' >> $GITHUB_STEP_SUMMARY
