actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.28.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:update-default-version
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

2 Commits
0.28.0 ... update-default-version

Author SHA1 Message Date
simar7
872edd45a5 Update README.md 2024-10-18 19:36:37 -06:00
Rob Vesse
fc1500abdc feat: Allow skipping setup (#414) 
If a user is invoking the action multiple times then the trivy binary
gets installed multiple times.  Users can avoid this by managing the
installation themselves and setting the skip-setup input to true, or by
letting the action install in on their first invocation and then setting
skip-setup to true on subsequent invocations

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
 2024-10-15 19:57:47 -06:00
2 changed files with 115 additions and 17 deletions
Expand all files Collapse all files
README.md
+110 -17
View File
@@ -14,6 +14,7 @@
* [Scan CI Pipeline](#scan-ci-pipeline)
* [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
* [Cache](#cache)
* [Trivy Setup](#trivy-setup)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
@@ -48,7 +49,7 @@ jobs:
- name: Build an image from Dockerfile
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
@@ -76,7 +77,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
@@ -117,7 +118,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
@@ -175,7 +176,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
```yaml
- name: Run Trivy scanner without downloading DBs
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
scan-ref: 'myimage'
@@ -184,6 +185,97 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
TRIVY_SKIP_JAVA_DB_UPDATE: true
```
### Trivy Setup
By default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step
which installs the `trivy` version specified by the `version` input. If you have already installed `trivy` by other
means, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the
`skip-setup-trivy` input to disable this step.
#### Setting up Trivy Manually
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Manual Trivy Setup
uses: aquasecurity/setup-trivy@v0.2.0
with:
cache: true
version: v0.56.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
skip-setup-trivy: true
```
#### Skipping Setup when Calling Trivy Action multiple times
Another common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to
`true` on subsequent invocations e.g.
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out Git repository
uses: actions/checkout@v4
# The first call to the action will invoke setup-trivy and install trivy
- name: Generate Trivy Vulnerability Report
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
output: trivy-report.json
format: json
scan-ref: .
exit-code: 0
- name: Upload Vulnerability Scan Results
uses: actions/upload-artifact@v4
with:
name: trivy-report
path: trivy-report.json
retention-days: 30
- name: Fail build on High/Criticial Vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: table
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
```
### Scanning a Tarball
```yaml
name: build
@@ -206,7 +298,7 @@ jobs:
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
@@ -234,7 +326,7 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -269,7 +361,7 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -304,7 +396,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -338,7 +430,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
@@ -373,7 +465,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'config'
hide-progress: true
@@ -417,7 +509,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
format: 'github'
@@ -448,7 +540,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: "private_image_registry/image_name:image_tag"
scan-type: image
@@ -491,7 +583,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -527,7 +619,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
@@ -563,7 +655,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -596,7 +688,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -619,7 +711,7 @@ This step is especially useful for private repositories without [GitHub Advanced
```yaml
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@0.20.0
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
hide-progress: true
@@ -681,6 +773,7 @@ Following inputs can be used as `step.with` keys:
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
action.yaml
+5
View File
@@ -103,11 +103,16 @@ inputs:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'true'
skip-setup-trivy:
description: 'skip calling the setup-trivy action to install trivy'
required: false
default: 'false'
runs:
using: 'composite'
steps:
- name: Install Trivy
if: ${{ inputs.skip-setup-trivy == 'false' }}
uses: aquasecurity/setup-trivy@v0.2.1
with:
version: ${{ inputs.version }}