Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
5681af892c | ||
|
|
807896715e | ||
|
|
0fa0cdb177 |
@@ -659,7 +659,7 @@ Following inputs can be used as `step.with` keys:
|
||||
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
|
||||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
|
||||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
|
||||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
|
||||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
|
||||
| `tf-vars` | String | | path to Terraform variables file |
|
||||
| `output` | String | | Save results to a file |
|
||||
@@ -669,12 +669,12 @@ Following inputs can be used as `step.with` keys:
|
||||
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
|
||||
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
|
||||
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory |
|
||||
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
|
||||
| `timeout` | String | `5m0s` | Scan timeout duration |
|
||||
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
|
||||
| `hide-progress` | String | `false` | Suppress progress bar and log output |
|
||||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
|
||||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
|
||||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
|
||||
| `trivy-config` | String | | Path to trivy.yaml config |
|
||||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
|
||||
|
||||
+44
-22
@@ -108,8 +108,10 @@ runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- name: Install Trivy
|
||||
shell: bash
|
||||
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin ${{ inputs.version }}
|
||||
uses: aquasecurity/setup-trivy@v0.1.0
|
||||
with:
|
||||
version: ${{ inputs.version }}
|
||||
cache: ${{ inputs.cache }}
|
||||
|
||||
- name: Get current date
|
||||
id: date
|
||||
@@ -130,6 +132,45 @@ runs:
|
||||
env:
|
||||
GITHUB_ACTION_PATH: ${{ github.action_path }}
|
||||
|
||||
- name: Set Trivy environment variables
|
||||
shell: bash
|
||||
run: |
|
||||
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
|
||||
# This limitation affects how we handle default values and empty inputs.
|
||||
# For more information, see: https://github.com/actions/runner/issues/924
|
||||
|
||||
# Function to set environment variable only if the input is provided and different from default
|
||||
set_env_var_if_provided() {
|
||||
local var_name="$1"
|
||||
local input_value="$2"
|
||||
local default_value="$3"
|
||||
|
||||
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
|
||||
echo "$var_name=$input_value" >> $GITHUB_ENV
|
||||
fi
|
||||
}
|
||||
|
||||
# Set environment variables, handling those with default values
|
||||
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
|
||||
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
|
||||
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
|
||||
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
|
||||
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
|
||||
set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
|
||||
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
|
||||
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
|
||||
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
|
||||
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
|
||||
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
|
||||
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
|
||||
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
|
||||
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
|
||||
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
|
||||
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
|
||||
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
|
||||
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
|
||||
|
||||
- name: Run Trivy
|
||||
shell: bash
|
||||
run: entrypoint.sh
|
||||
@@ -145,23 +186,4 @@ runs:
|
||||
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
|
||||
|
||||
# For Trivy
|
||||
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
|
||||
TRIVY_INPUT: ${{ inputs.input }}
|
||||
TRIVY_EXIT_CODE: ${{ inputs.exit-code }}
|
||||
TRIVY_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
|
||||
TRIVY_PKG_TYPES: ${{ inputs.vuln-type }}
|
||||
TRIVY_SEVERITY: ${{ inputs.severity }}
|
||||
TRIVY_FORMAT: ${{ inputs.format }}
|
||||
TRIVY_TEMPLATE: ${{ inputs.template }}
|
||||
TRIVY_OUTPUT: ${{ inputs.output }}
|
||||
TRIVY_SKIP_DIRS: ${{ inputs.skip-dirs }}
|
||||
TRIVY_SKIP_FILES: ${{ inputs.skip-files }}
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }}
|
||||
TRIVY_TIMEOUT: ${{ inputs.timeout }}
|
||||
TRIVY_IGNORE_POLICY: ${{ inputs.ignore-policy }}
|
||||
TRIVY_QUIET: ${{ inputs.hide-progress }}
|
||||
TRIVY_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
|
||||
TRIVY_SCANNERS: ${{ inputs.scanners }}
|
||||
TRIVY_CONFIG: ${{ inputs.trivy-config }}
|
||||
TRIVY_TF_VARS: ${{ inputs.tf-vars }}
|
||||
TRIVY_DOCKER_HOST: ${{ inputs.docker-host }}
|
||||
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
|
||||
|
||||
Reference in New Issue
Block a user