actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
36 Commits 19 Branches 73 Tags
artifact_types
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Daniel Pacak 1975dcb126 feat: Artifact types 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
2021-02-18 21:12:28 +01:00
docs/images
docs: Update README.md
2020-06-03 09:33:30 +02:00
.gitignore
feat: Add exit-code to Trivy args (#1)
2020-06-02 18:09:34 +02:00
action.yaml
feat: Artifact types
2021-02-18 21:12:28 +01:00
LICENSE
docs: Add badges (#6)
2020-06-03 00:09:08 +02:00
README.md
Add vuln-type parameter (#19)
2021-02-11 13:49:57 -08:00
workflow.yml
Add vuln-type parameter (#19)
2021-02-11 13:49:57 -08:00

README.md

Trivy Action

GitHub Action for Trivy

GitHub Release GitHub Marketplace License

Table of Contents

Usage

Workflow

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      
      - name: Build an image from Dockerfile
        run: |
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

Using Trivy with GitHub Code Scanning

If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build an image from Dockerfile
        run: |
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml

Customizing

inputs

Following inputs can be used as step.with keys:

Name Type Default Description
image-ref String Image reference, e.g. alpine:3.10.2
format String table Output format (table, json, template)
template String Output template (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl)
output String Save results to a file
exit-code String 0 Exit code when vulnerabilities were found
ignore-unfixed Boolean false Ignore unpatched/unfixed vulnerabilities
vuln-type String os,library Vulnerability types (os,library)
severity String UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL Severities of vulnerabilities to be displayed
Reference in New Issue View Git Blame Copy Permalink
Description
Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
devsecopsgithub-actionsscannerscanningsecuritytoolsvulnerability
Readme Apache-2.0 1.3 MiB
Languages
Shell 80.7%
HCL 10.8%
Makefile 8.5%