Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
2b5de51086 | ||
|
|
de7cb7d4ba | ||
|
|
9403afcefd | ||
|
|
159e7e8ec2 | ||
|
|
4edb45e6ff | ||
|
|
6d50808eba | ||
|
|
8cc32f763c | ||
|
|
3fadcda6be | ||
|
|
d424596f39 | ||
|
|
6b9375bd16 | ||
|
|
f498173417 | ||
|
|
c88ebc55b9 | ||
|
|
1eb53c0425 |
@@ -6,6 +6,8 @@
|
||||
[![GitHub Marketplace][marketplace-img]][marketplace]
|
||||
[![License][license-img]][license]
|
||||
|
||||
|
||||
|
||||
## Table of Contents
|
||||
|
||||
- [Usage](#usage)
|
||||
@@ -39,27 +41,70 @@ jobs:
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@0.0.5
|
||||
uses: aquasecurity/trivy-action@0.0.7
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'table'
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
severity: 'CRITICAL,HIGH'
|
||||
```
|
||||
|
||||
### Using Trivy with GitHub Code Scanning
|
||||
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v1
|
||||
with:
|
||||
go-version: 1.14
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v1
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
- name: Run vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
- name: Upload Trivy scan results to Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
```
|
||||
|
||||
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo
|
||||
|
||||
## Customizing
|
||||
|
||||
### inputs
|
||||
|
||||
Following inputs can be used as `step.with` keys:
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|-------------|--------|------------------------------------|-----------------------------------------------|
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`) |
|
||||
| `exit-code` | String | `0` | exit code when vulnerabilities were found |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | severities of vulnerabilities to be displayed |
|
||||
|
||||
| Name | Type | Default | Description |
|
||||
|------------------|---------|------------------------------------|-----------------------------------------------|
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`) |
|
||||
| `template` | String | | Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
|
||||
| `output` | String | | Save results to a file |
|
||||
| `exit-code` | String | `0` | Exit code when vulnerabilities were found |
|
||||
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to be displayed |
|
||||
|
||||
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
|
||||
|
||||
+18
-3
@@ -1,5 +1,5 @@
|
||||
name: 'Trivy Vulnerability Scanner'
|
||||
description: 'Scan container image for vulnerabilities with Trivy'
|
||||
name: 'Aqua Security Trivy'
|
||||
description: 'Scans container images for vulnerabilities with Trivy'
|
||||
author: 'Aqua Security'
|
||||
inputs:
|
||||
image-ref:
|
||||
@@ -9,20 +9,35 @@ inputs:
|
||||
description: 'exit code when vulnerabilities were found'
|
||||
required: false
|
||||
default: '0'
|
||||
ignore-unfixed:
|
||||
description: 'ignore unfixed vulnerabilities'
|
||||
required: false
|
||||
default: false
|
||||
severity:
|
||||
description: 'severities of vulnerabilities to be displayed'
|
||||
required: false
|
||||
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
format:
|
||||
description: 'output format (table, json)'
|
||||
description: 'output format (table, json, template)'
|
||||
required: false
|
||||
default: 'table'
|
||||
template:
|
||||
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
|
||||
required: false
|
||||
default: ''
|
||||
output:
|
||||
description: 'writes results to a file with the specified file name'
|
||||
required: false
|
||||
default: ''
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: 'docker://docker.io/aquasec/trivy:latest'
|
||||
args:
|
||||
- 'image'
|
||||
- '--format=${{ inputs.format }}'
|
||||
- '--template=${{ inputs.template }}'
|
||||
- '--exit-code=${{ inputs.exit-code }}'
|
||||
- '--ignore-unfixed=${{ inputs.ignore-unfixed }}'
|
||||
- '--severity=${{ inputs.severity }}'
|
||||
- '--output=${{ inputs.output }}'
|
||||
- '${{ inputs.image-ref }}'
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 505 KiB |
Reference in New Issue
Block a user