From 5b86dc76e0f2b642b729d93e8ecc49c94ea69787 Mon Sep 17 00:00:00 2001
From: Natalie Somersall <some-natalie@github.com>
Date: Tue, 7 Nov 2023 07:37:13 -0800
Subject: [PATCH] change grype outputs (#216)

---
 .github/workflows/build-release.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
index e3817e3..449b5ad 100644
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -118,17 +118,23 @@ jobs:
             ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}
             ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.VERSION }}-${{ env.SHA_SHORT }}
 
+      - name: Download Grype
+        uses: anchore/scan-action/download-grype@v3
+        id: grype
+        with:
+          grype-version: "v0.72.0"
+
       - name: Scan it
-        uses: anchore/scan-action@v3
         id: scan
-        with:
-          image: "ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}"
-          fail-build: false
+        run: |
+          ${{steps.grype.outputs.cmd}} -o sarif -f ${{github.workspace}}/results.sarif \
+          ghcr.io/${{ github.repository }}/${{ matrix.os }}:${{ env.SHA_SHORT }}
 
       - name: Upload the container scan report
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: ${{ github.workspace }}/results.sarif
+          category: ${{ matrix.os }}
 
       - name: Generate that SBOM
         uses: anchore/sbom-action@v0