actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: actions:master
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
..
pull from: actions:bump-trivy-1751468699
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

1 Commits
master .. bump-trivy-1751468699

Author SHA1 Message Date
nikpivkin
f639b31661 chore(deps): Update trivy to v0.64.0 2025-07-02 15:04:59 +00:00
16 changed files with 128 additions and 184 deletions
Expand all files Collapse all files
.github/workflows/bump-trivy.yaml
Vendored
+3 -21
View File
@@ -15,31 +15,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set new version from input
run: echo "NEW_VERSION=${{ inputs.trivy_version }}" >> $GITHUB_ENV
- name: Update Trivy versions
env:
NEW_VERSION: ${{ inputs.trivy_version }}
run: make bump-trivy
- name: Setup Bats and bats libs
id: setup-bats
uses: bats-core/bats-action@3.0.1
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ inputs.trivy_version }}
trivy --version
- name: Update golden files
env:
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
run: make update-golden
- name: Run tests
env:
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
run: make test
- name: Create PR
id: create-pr
uses: peter-evans/create-pull-request@v5
.github/workflows/sync-trivy-checks.yaml
Vendored
+1 -4
View File
@@ -11,10 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: setup-oras
uses: oras-project/setup-oras@v1.2.3
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
.github/workflows/sync-trivy-db.yaml
Vendored
-3
View File
@@ -12,9 +12,6 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: setup-oras
uses: oras-project/setup-oras@v1.2.3
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
.github/workflows/sync-trivy-java-db.yaml
Vendored
-3
View File
@@ -12,9 +12,6 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: setup-oras
uses: oras-project/setup-oras@v1.2.3
- name: Login to GitHub Packages Container registry
uses: docker/login-action@v3
with:
.github/workflows/test.yaml
Vendored
+6 -5
View File
@@ -6,7 +6,7 @@ on:
workflow_dispatch:
env:
TRIVY_VERSION: 0.68.1
TRIVY_VERSION: 0.64.0
BATS_LIB_PATH: '/usr/lib/'
jobs:
@@ -16,8 +16,7 @@ jobs:
- uses: actions/checkout@v4
- name: Setup Bats and bats libs
id: setup-bats
uses: bats-core/bats-action@3.0.1
uses: bats-core/bats-action@2.0.0
- name: Install Trivy
run: |
@@ -25,6 +24,8 @@ jobs:
trivy --version
- name: Test
run: bats --recursive --timing --verbose-run .
env:
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
run: make test
TRIVY_CACHE_DIR: .cache
TRIVY_DISABLE_VEX_NOTICE: true
TRIVY_DEBUG: true
Makefile
+8 -23
View File
@@ -1,33 +1,18 @@
OS := $(shell uname)
SED = sed
BATS_LIB_PATH = /usr/local/lib/
ifeq ($(OS), Darwin)
SED = gsed
BATS_LIB_PATH ?= /opt/homebrew/lib
else
SED = sed
BATS_LIB_PATH ?= /usr/local/lib/
SED = gsed
BATS_LIB_PATH = /opt/homebrew/lib
endif
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
GITHUB_REPOSITORY_OWNER=aquasecurity \
TRIVY_CACHE_DIR=.cache \
TRIVY_DISABLE_VEX_NOTICE=true \
TRIVY_DEBUG=true
BATS_FLAGS := --recursive --timing --verbose-run .
.PHONY: test
test: init-cache
$(BATS_ENV) bats $(BATS_FLAGS)
.PHONY: update-golden
update-golden: init-cache
UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
.PHONY: init-cache
init-cache:
test:
mkdir -p .cache
rm -f .cache/fanal/fanal.db
BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
bats --recursive --timing --verbose-run .
bump-trivy:
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
README.md
+38 -82
View File
@@ -46,11 +46,11 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
@@ -78,7 +78,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
@@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
@@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
```yaml
- name: Run Trivy scanner without downloading DBs
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
scan-ref: 'myimage'
@@ -215,7 +215,7 @@ jobs:
uses: aquasecurity/setup-trivy@v0.2.0
with:
cache: true
version: v0.68.1
version: v0.64.0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
@@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action.
To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
@@ -318,7 +318,7 @@ jobs:
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
@@ -342,10 +342,10 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: "fs"
scan-ref: .
@@ -371,10 +371,10 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: "fs"
scan-ref: .
@@ -395,9 +395,6 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
@@ -407,14 +404,14 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -433,9 +430,6 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
@@ -445,14 +439,14 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
@@ -461,7 +455,7 @@ jobs:
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
### Using Trivy to scan your Git repo
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -475,15 +469,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -492,13 +483,13 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan your rootfs directories
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -512,15 +503,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
@@ -530,15 +518,13 @@ jobs:
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan.
This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo.
This helps you identify potential vulnerabilities that might get introduced with each PR.
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -552,15 +538,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'config'
hide-progress: true
@@ -570,26 +553,11 @@ jobs:
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them.
This can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys:
```yaml
- name: Configure Git for private modules
run: |
git config --global url."https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/".insteadOf "https://github.com/"
env:
GITHUB_USER: ${{ github.actor }}
PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
```
This ensures Trivy can download private modules.
### Using Trivy to generate SBOM
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
@@ -617,12 +585,12 @@ jobs:
uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
scan-ref: '.'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
```
@@ -647,7 +615,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: "private_image_registry/image_name:image_tag"
scan-type: image
@@ -685,15 +653,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF results to the GitHub Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -703,7 +668,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -724,15 +689,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
@@ -743,7 +705,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -763,15 +725,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -780,7 +739,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -799,15 +758,12 @@ jobs:
build:
name: Build
runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
@@ -817,7 +773,7 @@ jobs:
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
```
@@ -830,7 +786,7 @@ This step is especially useful for private repositories without [GitHub Advanced
```yaml
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@0.33.1
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
hide-progress: true
@@ -891,7 +847,7 @@ Following inputs can be used as `step.with` keys:
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
| `version` | String | `v0.68.1` | Trivy version to use, e.g. `latest` or `v0.68.1` |
| `version` | String | `v0.64.0` | Trivy version to use, e.g. `latest` or `v0.64.0` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |
action.yaml
+3 -3
View File
@@ -98,7 +98,7 @@ inputs:
version:
description: 'Trivy version to use'
required: false
default: 'v0.68.1'
default: 'v0.64.0'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
@@ -126,7 +126,7 @@ runs:
# "allowing select actions" feature can be used to whitelist the dependent action by a hash.
# This is needed since some organizations have a policy to only allow pinned 3rd party actions to
# be used.
uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # equivalent to `v0.2.4`
uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087 # equivalent to `v0.2.2`
with:
version: ${{ inputs.version }}
cache: ${{ inputs.cache }}
@@ -139,7 +139,7 @@ runs:
- name: Restore DB from cache
if: ${{ inputs.cache == 'true' }}
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
uses: actions/cache@v4
with:
path: ${{ inputs.cache-dir }}
key: cache-trivy-${{ steps.date.outputs.date }}
renovate.json
-3
View File
@@ -1,3 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
}
test/data/config-scan/report.json
+37 -8
View File
@@ -2,6 +2,18 @@
"SchemaVersion": 2,
"ArtifactName": "test/data/config-scan",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
@@ -38,6 +50,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -77,7 +90,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -97,6 +111,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -136,7 +151,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -156,6 +172,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -195,7 +212,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -216,6 +234,7 @@
"https://avd.aquasec.com/misconfig/s3-bucket-logging"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -255,7 +274,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -275,6 +295,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
@@ -395,6 +416,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -434,7 +456,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -454,6 +477,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -493,7 +517,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -513,6 +538,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -552,7 +578,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -572,6 +599,7 @@
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
@@ -611,7 +639,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
}
]
test/data/image-scan/report
+1 -2
View File
@@ -51,8 +51,7 @@ Total: 19 (CRITICAL: 19)
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
│ │ │ │ │ │ │ data integrity tests fail).... │
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
test/data/secret-scan/report.json
+11 -8
View File
@@ -1,15 +1,18 @@
{
"SchemaVersion": 2,
"ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/krol3/demo-trivy/",
"Branch": "main",
"Commit": "547db823c73fdb3385871f6235e946c72291f734",
"CommitMsg": "chore: add gitignore",
"Author": "carolina valencia <krol3@users.noreply.github.com>",
"Committer": "carolina valencia <krol3@users.noreply.github.com>"
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
@@ -66,7 +69,7 @@
]
},
"Match": "export GITHUB_PAT=****************************************",
"Offset": 63
"Layer": {}
}
]
}
test/data/with-ignore-files/report
+1 -2
View File
@@ -51,8 +51,7 @@ Total: 19 (CRITICAL: 19)
│ │ │ │ │ │ │ Windows Subsystem for... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │
│ │ │ │ │ │ │ data integrity tests fail).... │
│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
test/data/with-tf-vars/report.json
+12
View File
@@ -2,6 +2,18 @@
"SchemaVersion": 2,
"ArtifactName": "test/data/with-tf-vars/main.tf",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
test/data/with-trivy-yaml-cfg/report.json
+3 -5
View File
@@ -1,6 +1,6 @@
{
"SchemaVersion": 2,
"ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
"CreatedAt": "2025-06-03T01:26:45.367171-06:00",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
@@ -20,7 +20,6 @@
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"Reference": "alpine:3.10",
"ImageConfig": {
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
@@ -73,7 +72,7 @@
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
"PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
"UID": "b7a64ae671a99195"
},
"InstalledVersion": "2.10.6-r0",
@@ -90,7 +89,6 @@
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Fingerprint": "sha256:f86484d912018e22a8212a9c21359a64583d86342016ed1c57e3b3d6e9afa63c",
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
@@ -125,7 +123,7 @@
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
],
"PublishedDate": "2021-08-03T14:15:08.233Z",
"LastModifiedDate": "2024-11-21T06:13:13.57Z"
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
}
]
}
test/test.bats
+4 -12
View File
@@ -5,7 +5,6 @@ setup_file() {
export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
export TRIVY_LIST_ALL_PKGS=false
}
setup() {
@@ -17,7 +16,7 @@ setup() {
function remove_json_fields() {
local file="$1"
if [[ "$file" == *.json ]]; then
jq 'del(.CreatedAt, .ReportID)' "$file" > tmp && mv tmp "$file"
jq 'del(.CreatedAt)' "$file" > tmp && mv tmp "$file"
fi
}
@@ -58,16 +57,9 @@ function compare_files() {
remove_github_fields "$file1"
remove_github_fields "$file2"
if [ "${UPDATE_GOLDEN}" = "1" ]; then
cp "$file1" "$file2"
echo "Updated golden file: $file2"
else
run diff "$file1" "$file2"
echo "$output"
assert_files_equal "$file1" "$file2"
fi
rm -f "$file1"
run diff "$file1" "$file2"
echo "$output"
assert_files_equal "$file1" "$file2"
}
@test "trivy repo with securityCheck secret only" {