Upgrade anchore/scan-action to v7.3.2 to fix CVE-2025-59250 false positive

[jnewton03]

Summary

• Upgrades anchore/scan-action from v5 (Grype v0.85.0) to v7.3.2 (Grype v0.107.1)
• Fixes the remaining Grype false positive for CVE-2025-59250 on the liquibase-secure image

Context

PR #492 extended the .trivyignore expiration which fixed the Trivy scans, but the Grype scan still reports grype_vulns: 1 because .trivyignore only applies to Trivy.

The root cause — Grype's incorrect version comparison of mssql-jdbc 13.2.1 vs 13.2.1.jre11 — was fixed upstream in anchore/grype#3034 (merged Nov 2025, shipped in v0.104.1). The workflow was pinned to scan-action v5 which bundles Grype v0.85.0, predating the fix.

Failing run: #22321625392

Test plan

• Re-run the Docker vulnerability scan workflow after merge
• Confirm grype_vulns: 0 in scan output
• Verify community and alpine scans still pass

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0afae3f and e532d68.

📒 Files selected for processing (1)

• .github/workflows/reusable-vulnerability-scan.yml

---

📝 Walkthrough

Walkthrough

Updates the Grype SBOM scan GitHub Action from v5 to v7.3.2 in the reusable vulnerability scan workflow. The change maintains all other parameters and only modifies the container image tag reference.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/reusable-vulnerability-scan.yml	Upgraded anchore/scan-action from v5 (hash 869c549e6) to v7.3.2 (hash 7037fa011) for the Grype SBOM scan step.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• jandroav

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: upgrading anchore/scan-action to v7.3.2 to fix a specific CVE false positive.
Description check	✅ Passed	The description is well-related to the changeset, providing clear context about the upgrade, the root cause of the false positive, upstream fixes, and a comprehensive test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/upgrade-grype-scan-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}