anchore · spiffcs · Aug 9, 2022 · Aug 4, 2022
diff --git a/README.md b/README.md
@@ -116,7 +116,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build
 
 ### Action Inputs
 
-The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the source to scan; all the other keys are optional. These are all the available keys to configure this action, along with the defaults:
+The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the source to scan;inputs `output-format` and`acs-report-enable` are mutually exclusive to specify the report format;all the other keys are optional. These are all the available keys to configure this action, along with the defaults:
 
 | Input Name          | Description                                                                                                                                                                                                                                                                                                    | Default Value |
 | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
@@ -126,14 +126,16 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `registry-username` | The registry username to use when authenticating to an external registry                                                                                                                                                                                                                                       |               |
 | `registry-password` | The registry password to use when authenticating to an external registry                                                                                                                                                                                                                                       |               |
 | `fail-build`        | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `"medium"` and can be set with `severity-cutoff`.                                                                                                                                                                 | `true`        |
-| `acs-report-enable` | Generate a SARIF report and set the `sarif` output parameter after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report.                                                                    | `true`        |
+| `output-format`     | Set the output parameter after successful action execution. Valid choices are "json" and "sarif"                                                                                                                                                                                                               | `sarif`       |
+| `acs-report-enable` | Generate a SARIF report and set the `sarif` output parameter (Override the output-format) after successful action execution. This report is compatible with GitHub Automated Code Scanning (ACS), as the artifact to upload for display as a Code Scanning Alert report.                                       | `true`        |
 | `severity-cutoff`   | With ACS reporting enabled, optionally specify the minimum vulnerability severity to trigger an "error" level ACS result. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `"medium"`    |
 
 ### Action Outputs
 
 | Output Name | Description                   | Type   |
 | ----------- | ----------------------------- | ------ |
 | `sarif`     | Path to the SARIF report file | string |
+| `report`    | Path to the report file       | string |
 
 ### Example Workflows
 

diff --git a/dist/index.js b/dist/index.js
@@ -103,12 +103,14 @@ async function run() {
     const source = sourceInput();
     const failBuild = core.getInput("fail-build") || "true";
     const acsReportEnable = core.getInput("acs-report-enable") || "true";
+    const outputFormat = core.getInput("output-format") || "sarif";
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
     const out = await runScan({
       source,
       failBuild,
       acsReportEnable,
       severityCutoff,
+      outputFormat
     });
     Object.keys(out).map((key) => {
       core.setOutput(key, out[key]);
@@ -118,7 +120,7 @@ async function run() {
   }
 }
 
-async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
+async function runScan({ source, failBuild, acsReportEnable, severityCutoff ,outputFormat}) {
   const out = {};
 
   const env = {
@@ -139,6 +141,8 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
   }
 
   const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
+  const FORMAT_LIST = ["sarif", "json"];
+
   let cmdArgs = [];
 
   if (core.isDebug()) {
@@ -152,7 +156,7 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
   if (acsReportEnable) {
     cmdArgs.push("-o", "sarif");
   } else {
-    cmdArgs.push("-o", "json");
+    cmdArgs.push("-o", outputFormat);
   }
 
   if (
@@ -166,6 +170,17 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
       `Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`
     );
   }
+  if (
+    !FORMAT_LIST.some(
+      (item) =>
+        typeof outputFormat.toLowerCase() === "string" &&
+        item === outputFormat.toLowerCase()
+    )
+  ) {
+    throw new Error(
+      `Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`
+    );
+  }
 
   core.debug(`Installing grype version ${grypeVersion}`);
   await installGrype(grypeVersion);
@@ -225,6 +240,10 @@ async function runScan({ source, failBuild, acsReportEnable, severityCutoff }) {
     const SARIF_FILE = "./results.sarif";
     fs.writeFileSync(SARIF_FILE, cmdOutput);
     out.sarif = SARIF_FILE;
+  }else {
+    const REPORT_FILE = "./results.report";
+    fs.writeFileSync(REPORT_FILE, cmdOutput);
+    out.report = REPORT_FILE;
   }
 
   if (failBuild === true && exitCode > 0) {
@@ -6916,4 +6935,4 @@ module.exports = require("util");
 /******/ 	// Load entry module and return exports
 /******/ 	return __webpack_require__(932);
 /******/ })()
-;
+;