From e532d6841f961ba85ecd16dcc8fb7e74a5abf874 Mon Sep 17 00:00:00 2001
From: Jake Newton <jake@liquibase.com>
Date: Mon, 23 Feb 2026 13:42:39 -0600
Subject: [PATCH] Upgrade anchore/scan-action from v5 to v7.3.2 (Grype
 v0.107.1)

The pinned scan-action (v5) bundled Grype v0.85.0 which has a
false-positive for CVE-2025-59250 on mssql-jdbc due to Microsoft's
non-standard version metadata. This was fixed in Grype v0.104.1+
(anchore/grype#3034). Upgrading to scan-action v7.3.2 which bundles
Grype v0.107.1 resolves the false positive at the scanner level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/reusable-vulnerability-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-vulnerability-scan.yml b/.github/workflows/reusable-vulnerability-scan.yml
index 229f1755..32a5e2a0 100644
--- a/.github/workflows/reusable-vulnerability-scan.yml
+++ b/.github/workflows/reusable-vulnerability-scan.yml
@@ -199,7 +199,7 @@ jobs:
 
       - name: Grype SBOM scan
         if: inputs.mode == 'docker' && inputs.generate_sbom
-        uses: anchore/scan-action@869c549e657a088dc0441b08ce4fc0ecdac2bb65  # v5
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c  # v7.3.2
         with:
           sbom: sbom.spdx.json
           fail-build: false