Add Anchor security scan

[rugk]

The tool seems to cover JS, which is useful for us and standard container dependencies.

https://github.com/anchore/grype

[elrido]

I think what it tries to tell is that it looks at the package.json, sees the version as 1.3.0 and therefore assumes we are affected by the CVE we published on that release. I checked and it seems that we indeed forgot to increment the version string in that file, probably in the 1.3.1 release. I now use sed to match and replace these numbers during publication, but I seem to have omitted that file. I'll change package.json and Makefile in master and we could add this check added after the next release got published.

Edit: Fixed in PrivateBin/PrivateBin@a2ffbaf

[rugk]

Great. Note that in order to increment the package.json you can also use the npm version command… 🙂

[rugk]

Re-triggered this thiny (via a simple merge), so let's see how the situation may have improved since our last try… 🙃

[rugk]

Error: Failed minimum severity level. Found vulnerabilities with level medium or higher

Well nice, but where/how/where are these? 😅

Also in GitHubs advanced code scanning tab I could find nothing…