Update README.md

feat: Allow skipping setup (#414 )
If a user is invoking the action multiple times then the trivy binary gets installed multiple times. Users can avoid this by managing the installation themselves and setting the skip-setup input to true, or by letting the action install in on their first invocation and then setting skip-setup to true on subsequent invocations Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
2024-10-18 19:36:37 -06:00 · 2024-10-15 19:57:47 -06:00 · 2024-10-15 10:04:03 -06:00
2 changed files with 116 additions and 18 deletions
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@
  * [Scan CI Pipeline](#scan-ci-pipeline)
  * [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
  * [Cache](#cache)
+  * [Trivy Setup](#trivy-setup)
  * [Scanning a Tarball](#scanning-a-tarball)
  * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
  * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
@@ -48,7 +49,7 @@ jobs:
      - name: Build an image from Dockerfile
        run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
@@ -76,7 +77,7 @@ jobs:
      uses: actions/checkout@v4

    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@0.20.0
+      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -117,7 +118,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme

 ```yaml
    - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@0.20.0
+      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -175,7 +176,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T

 ```yaml
    - name: Run Trivy scanner without downloading DBs
-      uses: aquasecurity/trivy-action@0.20.0
+      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'image'
        scan-ref: 'myimage'
@@ -184,6 +185,97 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
        TRIVY_SKIP_JAVA_DB_UPDATE: true
 ```

+### Trivy Setup
+By default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step
+which installs the `trivy` version specified by the `version` input.  If you have already installed `trivy` by other
+means, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the
+`skip-setup-trivy` input to disable this step.
+
+#### Setting up Trivy Manually
+```yaml
+name: build
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Manual Trivy Setup
+      uses: aquasecurity/setup-trivy@v0.2.0
+      with:
+        cache: true
+        version: v0.56.1
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL'
+        skip-setup-trivy: true
+```
+
+#### Skipping Setup when Calling Trivy Action multiple times
+Another common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to 
+`true` on subsequent invocations e.g.
+
+```yaml
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+
+      # The first call to the action will invoke setup-trivy and install trivy
+      - name: Generate Trivy Vulnerability Report
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          output: trivy-report.json
+          format: json
+          scan-ref: .
+          exit-code: 0
+
+      - name: Upload Vulnerability Scan Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json
+          retention-days: 30
+
+      - name: Fail build on High/Criticial Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          format: table
+          scan-ref: .
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          exit-code: 1
+          # On a subsequent call to the action we know trivy is already installed so can skip this
+          skip-setup-trivy: true
+```
+
 ### Scanning a Tarball
 ```yaml
 name: build
@@ -206,7 +298,7 @@ jobs:
        docker save -o vuln-image.tar <your-docker-image>

    - name: Run Trivy vulnerability scanner in tarball mode
-      uses: aquasecurity/trivy-action@0.20.0
+      uses: aquasecurity/trivy-action@0.28.0
      with:
        input: /github/workspace/vuln-image.tar
        severity: 'CRITICAL,HIGH'
@@ -234,7 +326,7 @@ jobs:
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -269,7 +361,7 @@ jobs:
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -304,7 +396,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@@ -338,7 +430,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner with rootfs command
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: 'rootfs'
          scan-ref: 'rootfs-example-binary'
@@ -373,7 +465,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: 'config'
          hide-progress: true
@@ -417,7 +509,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: 'fs'
          format: 'github'
@@ -448,7 +540,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Scan image in a private registry
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: "private_image_registry/image_name:image_tag"
          scan-type: image
@@ -491,7 +583,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -527,7 +619,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
          format: 'sarif'
@@ -563,7 +655,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -596,7 +688,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.20.0
+        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -619,7 +711,7 @@ This step is especially useful for private repositories without [GitHub Advanced

 ```yaml
 - name: Run Trivy scanner
-  uses: aquasecurity/trivy-action@0.20.0
+  uses: aquasecurity/trivy-action@0.28.0
  with:
    scan-type: config
    hide-progress: true
@@ -681,6 +773,7 @@ Following inputs can be used as `step.with` keys:
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
 | `version`                    | String  | `v0.56.1`                          | Trivy version to use, e.g. `latest` or `v0.56.1`                                                                                                               |
+| `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                       |

 ### Environment variables
 You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
--- a/action.yaml
+++ b/action.yaml
@@ -103,12 +103,17 @@ inputs:
    description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
    required: false
    default: 'true'
+  skip-setup-trivy:
+    description: 'skip calling the setup-trivy action to install trivy'
+    required: false
+    default: 'false'

 runs:
  using: 'composite'
  steps:
    - name: Install Trivy
-      uses: aquasecurity/setup-trivy@v0.1.0
+      if: ${{ inputs.skip-setup-trivy == 'false' }}
+      uses: aquasecurity/setup-trivy@v0.2.1
      with:
        version: ${{ inputs.version }}
        cache: ${{ inputs.cache }}