Bump anchore/sbom-action from 0.20.5 to 0.22.2

[dependabot]

Bumps anchore/sbom-action from 0.20.5 to 0.22.2.

Release notes

Sourced from anchore/sbom-action's releases.

v0.22.2

⬆️ Dependencies

• chore(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 (#581) [@dependabot[bot]]
• chore(deps): update Syft to v1.41.2 (#582) [@anchore-actions-token-generator[bot]]
• chore(deps-dev): bump the dev-dependencies group with 2 updates (#580) [@dependabot[bot]]
• chore(deps): update Syft to v1.41.1 (#579) [@anchore-actions-token-generator[bot]]

v0.22.1

⬆️ Dependencies

• chore(deps): update Syft to v1.41.0 (#576) [@anchore-actions-token-generator[bot]]
• chore(deps): bump lodash from 4.17.21 to 4.17.23 (#573) [@dependabot[bot]]

v0.22.0

Changes in v0.22.0

⬆️ Dependencies

• chore(deps-dev): bump the dev-dependencies group with 19 updates (#566) [@​dependabot]
• chore(deps): bump npm-check-updates from 17.1.3 to 19.3.1 (#567) [@​dependabot]
• chore(deps): update Syft to v1.40.1 (#563) [@​anchore-actions-token-generator[bot]]

v0.21.1

Changes in v0.21.1

• chore(deps): update Syft to v1.40.0 (#562) [[anchore-actions-token-generator[bot]](https://github.com/[anchore-actions-token-generator[bot]](https://github.com/apps/anchore-actions-token-generator))]

v0.21.0

• chore(deps): update Syft to v1.39.0 (#561)
• chore(deps): bump @​octokit/request-error, @​octokit/core and @​octokit/webhooks (#560)
• chore(deps): bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#558)

v0.20.11

Changes in v0.20.11

• update Syft to v1.38.2 (anchore/sbom-action#557)
• bump @​octokit/plugin-paginate-rest, @​actions/artifact and @​actions/github (#550) [[dependabot[bot]](https://github.com/[dependabot[bot]](https://github.com/apps/dependabot))]
• bump js-yaml (#552) [[dependabot[bot]](https://github.com/[dependabot[bot]](https://github.com/apps/dependabot))]

v0.20.10

Changes in v0.20.10

• chore(deps): update Syft to v1.38.0 (#548) [[anchore-actions-token-generator[bot]](https://github.com/[anchore-actions-token-generator[bot]](https://github.com/apps/anchore-actions-token-generator))]

v0.20.9

Changes in v0.20.9

... (truncated)

Commits

• 28d7154 chore(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 (#581)
• 5e35834 chore(deps): update Syft to v1.41.2 (#582)
• a30a06a chore(deps-dev): bump the dev-dependencies group with 2 updates (#580)
• 750e84c chore(deps): update Syft to v1.41.1 (#579)
• 5620efe chore(deps): bump release-drafter/release-drafter from 6.1.0 to 6.2.0 (#578)
• ec824c7 chore(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#577)
• deef08a chore(deps): update Syft to v1.41.0 (#576)
• f139ded chore(deps): bump lodash from 4.17.21 to 4.17.23 (#573)
• 1b05262 chore(deps): bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 (#575)
• 1e8f28d chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#574)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA a3d5495.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/anchore/sbom-action	28d71544de8eaf1b958d335707167c5f783590ad	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/SCA-Anchore-Syft-SBOM.yml