Thanks for this @harmw overall it looks good, thinking of the ergonomics, I wonder if it would be more consistent with image and path options to just call the parameter sbom?

yeah so I started with exactly that an mind, but figured there are some other options supported in grype that may be of interest and are configurable this way - happy to change it back into sbom though, as it's a little cleaner (though less versatile) :)

I think using sbom, and always having it prepend the sbom: prefix would be more consistent with the current state of this action. We made a conscious decision not to support everything in the action command parameters. There is always the option to add a .grype.yaml in the repository root for more advanced configuration, although the source parameter is tricky. Additionally, there are some other options like just using the download sub-action and invoking grype directly. But adding an sbom definitely sounds like a useful improvement to the action!

We made a conscious decision not to support everything in the action command parameters.

check, and happy to change it 👍

automated tests, yes please - tbh I found the current set of tests, or rather the layout of the project a little (too) complex 🙈 maybe something to pick up in a separate PR, but that also feels a little daunting.
And probably also due to my lack of javascript ecosystem knowledge 😂