anchore · kforsthoevel · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
diff --git a/README.md b/README.md
@@ -136,6 +136,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `only-fixed`        | Specify whether to only report vulnerabilities that have a fix available.                                                                                                                                                                                        | `false`       |
 | `add-cpes-if-none`  | Specify whether to autogenerate missing CPEs.                                                                                                                                                                                                                    | `false`       |
 | `by-cve`            | Specify whether to orient results by CVE rather than GHSA.                                                                                                                                                                                                       | `false`       |
+| `show-suppressed`   | Specify whether to include suppressed (ignored) vulnerabilities in the results.                                                                                                                                                                                  | `false`       |
 | `vex`               | Specify a list of VEX documents to consider when producing scanning results.                                                                                                                                                                                     | `false`       |
 | `cache-db`          | Cache the Grype DB in GitHub action cache and restore before checking for updates                                                                                                                                                                                | `false`       |
 | `grype-version`     | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js).                                                                                                                                                     |               |

diff --git a/action.js b/action.js
@@ -132,6 +132,7 @@ async function run() {
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
     const byCve = core.getInput("by-cve") || "false";
+    const showSuppressed = core.getInput("show-suppressed") || "false";
     const vex = core.getInput("vex") || "";
     const configFile = core.getInput("config") || "";
     const cacheDb = core.getInput("cache-db") || "false";
@@ -145,6 +146,7 @@ async function run() {
       outputFormat,
       addCpesIfNone,
       byCve,
+      showSuppressed,
       vex,
       configFile,
       cacheDb,
@@ -296,6 +298,7 @@ async function runScan({
   outputFormat,
   addCpesIfNone,
   byCve,
+  showSuppressed,
   vex,
   configFile,
   cacheDb = "false",
@@ -340,6 +343,7 @@ async function runScan({
   onlyFixed = onlyFixed.toLowerCase() === "true";
   addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
   byCve = byCve.toLowerCase() === "true";
+  showSuppressed = showSuppressed.toLowerCase() === "true";
   cacheDb = cacheDb.toLowerCase() === "true" && cache.isFeatureAvailable();
 
   cmdArgs.push("-o", outputFormat);
@@ -391,6 +395,7 @@ async function runScan({
   core.debug("Only Fixed: " + onlyFixed);
   core.debug("Add Missing CPEs: " + addCpesIfNone);
   core.debug("Orient by CVE: " + byCve);
+  core.debug("Show Suppressed: " + showSuppressed);
   core.debug("Output Format: " + outputFormat);
   core.debug("Cache DB: " + cacheDb);
 
@@ -410,6 +415,9 @@ async function runScan({
   if (byCve === true) {
     cmdArgs.push("--by-cve");
   }
+  if (showSuppressed === true) {
+    cmdArgs.push("--show-suppressed");
+  }
   if (vex) {
     cmdArgs.push("--vex");
     cmdArgs.push(vex);

diff --git a/action.yml b/action.yml
@@ -40,6 +40,10 @@ inputs:
     description: "Specify whether to orient results by CVE rather than GHSA.  Default is false."
     required: false
     default: "false"
+  show-suppressed:
+    description: "Specify whether to include suppressed (ignored) vulnerabilities in the results.  Default is false."
+    required: false
+    default: "false"
   grype-version:
     description: "A specific version of Grype to install"
     required: false

diff --git a/dist/index.js b/dist/index.js
@@ -65028,6 +65028,7 @@ async function run() {
     const onlyFixed = getInput("only-fixed") || "false";
     const addCpesIfNone = getInput("add-cpes-if-none") || "false";
     const byCve = getInput("by-cve") || "false";
+    const showSuppressed = getInput("show-suppressed") || "false";
     const vex = getInput("vex") || "";
     const configFile = getInput("config") || "";
     const cacheDb = getInput("cache-db") || "false";
@@ -65041,6 +65042,7 @@ async function run() {
       outputFormat,
       addCpesIfNone,
       byCve,
+      showSuppressed,
       vex,
       configFile,
       cacheDb
@@ -65161,6 +65163,7 @@ async function runScan({
   outputFormat,
   addCpesIfNone,
   byCve,
+  showSuppressed,
   vex,
   configFile,
   cacheDb = "false"
@@ -65199,6 +65202,7 @@ async function runScan({
   onlyFixed = onlyFixed.toLowerCase() === "true";
   addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
   byCve = byCve.toLowerCase() === "true";
+  showSuppressed = showSuppressed.toLowerCase() === "true";
   cacheDb = cacheDb.toLowerCase() === "true" && isFeatureAvailable();
   cmdArgs.push("-o", outputFormat);
   if (!outputFile) {
@@ -65234,6 +65238,7 @@ async function runScan({
   debug("Only Fixed: " + onlyFixed);
   debug("Add Missing CPEs: " + addCpesIfNone);
   debug("Orient by CVE: " + byCve);
+  debug("Show Suppressed: " + showSuppressed);
   debug("Output Format: " + outputFormat);
   debug("Cache DB: " + cacheDb);
   debug("Creating options for GRYPE analyzer");
@@ -65250,6 +65255,9 @@ async function runScan({
   if (byCve === true) {
     cmdArgs.push("--by-cve");
   }
+  if (showSuppressed === true) {
+    cmdArgs.push("--show-suppressed");
+  }
   if (vex) {
     cmdArgs.push("--vex");
     cmdArgs.push(vex);

diff --git a/tests/grype_command.test.js b/tests/grype_command.test.js
@@ -155,6 +155,31 @@ describe(
       ]);
     });
 
+    it("shows suppressed vulnerabilities if requested", async () => {
+      const args = await mockRun({
+        image: "asdf",
+        "fail-build": "false",
+        "output-file": "the-output-file",
+        "output-format": "json",
+        "severity-cutoff": "low",
+        "only-fixed": "false",
+        "add-cpes-if-none": "false",
+        "by-cve": "false",
+        "show-suppressed": "true",
+      });
+      assert.deepEqual(args, [
+        "-v",
+        "-o",
+        "json",
+        "--file",
+        "the-output-file",
+        "--fail-on",
+        "low",
+        "--show-suppressed",
+        "asdf",
+      ]);
+    });
+
     it("with path by cve", async () => {
       const args = await mockRun({
         path: "asdf",

diff --git a/tests/sarif_output.test.js b/tests/sarif_output.test.js
@@ -42,6 +42,7 @@ const testSource = async (source, vulnerabilities) => {
     onlyFixed: "false",
     addCpesIfNone: "false",
     byCve: "false",
+    showSuppressed: "false",
   });
 
   // expect to get sarif output