From b3376a0925ea8f5549d4992d947b7013cbfdd237 Mon Sep 17 00:00:00 2001
From: davesmallnhs <263884314+davesmallnhs@users.noreply.github.com>
Date: Tue, 19 May 2026 11:43:40 +0100
Subject: [PATCH 1/2] Add fail-on-severity config for scan-dependencies, which
 uses grype

---
 scripts/config/grype.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/config/grype.yaml b/scripts/config/grype.yaml
index 07484cab..0fecf296 100644
--- a/scripts/config/grype.yaml
+++ b/scripts/config/grype.yaml
@@ -1,5 +1,6 @@
 # If using SBOM input, automatically generate CPEs when packages have none
 add-cpes-if-none: true
+fail-on-severity: high
 # ignore:
 #   # This is the full set of supported rule fields:
 #   - vulnerability: CVE-2008-4318

From 7f91d2d692bc23847e4437572ad3b03b36e9e7bb Mon Sep 17 00:00:00 2001
From: davesmallnhs <263884314+davesmallnhs@users.noreply.github.com>
Date: Tue, 19 May 2026 12:32:26 +0100
Subject: [PATCH 2/2] Render vulnerabilities as a table

---
 .github/actions/scan-dependencies/action.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/actions/scan-dependencies/action.yaml b/.github/actions/scan-dependencies/action.yaml
index 351ed515..98942143 100644
--- a/.github/actions/scan-dependencies/action.yaml
+++ b/.github/actions/scan-dependencies/action.yaml
@@ -30,6 +30,13 @@ runs:
       run: |
         curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \
           | sudo sh -s -- -b /usr/bin
+    - name: "Display vulnerabilities table"
+      uses: anchore/scan-action@v7
+      with:
+        sbom: ./sbom-repository-report.json
+        severity-cutoff: high
+        output-format: table
+        fail-build: false
     - name: "Scan vulnerabilities"
       shell: bash
       run: |