name: 'Aqua Security Trivy' description: 'Scans container images for vulnerabilities with Trivy' author: 'Aqua Security' inputs: scan-type: description: 'Scan type to use for scanning vulnerability' required: false default: 'image' image-ref: description: 'image reference(for backward compatibility)' required: false input: description: 'reference of tar file to scan' required: false default: '' scan-ref: description: 'Scan reference' required: false default: '.' exit-code: description: 'exit code when vulnerabilities were found' required: false ignore-unfixed: description: 'ignore unfixed vulnerabilities' required: false default: 'false' vuln-type: description: 'comma-separated list of vulnerability types (os,library)' required: false default: 'os,library' severity: description: 'severities of vulnerabilities to be displayed' required: false default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' format: description: 'output format (table, json, template)' required: false default: 'table' template: description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)' required: false default: '' output: description: 'writes results to a file with the specified file name' required: false default: '' skip-dirs: description: 'comma separated list of directories where traversal is skipped' required: false default: '' skip-files: description: 'comma separated list of files to be skipped' required: false default: '' cache-dir: description: 'specify where the cache is stored' required: false default: '' timeout: description: 'timeout (default 5m0s)' required: false default: '' ignore-policy: description: 'filter vulnerabilities with OPA rego language' required: false default: '' hide-progress: description: 'suppress progress bar and log output' required: false list-all-pkgs: description: 'output all packages regardless of vulnerability' required: false default: 'false' scanners: description: 'comma-separated list of what security issues to detect' required: false default: '' trivyignores: description: 'comma-separated list of relative paths in repository to one or more .trivyignore files' required: false default: '' artifact-type: description: 'input artifact type (image, fs, repo, archive) for SBOM generation' required: false github-pat: description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API' required: false trivy-config: description: 'path to trivy.yaml config' required: false tf-vars: description: "path to terraform tfvars file" required: false limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false docker-host: description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock' required: false runs: using: 'docker' image: "Dockerfile" args: - '-a ${{ inputs.scan-type }}' - '-b ${{ inputs.format }}' - '-c ${{ inputs.template }}' - '-d ${{ inputs.exit-code }}' - '-e ${{ inputs.ignore-unfixed }}' - '-f ${{ inputs.vuln-type }}' - '-g ${{ inputs.severity }}' - '-h ${{ inputs.output }}' - '-i ${{ inputs.image-ref }}' - '-j ${{ inputs.scan-ref }}' - '-k ${{ inputs.skip-dirs }}' - '-l ${{ inputs.input }}' - '-m ${{ inputs.cache-dir }}' - '-n ${{ inputs.timeout }}' - '-o ${{ inputs.ignore-policy }}' - '-p ${{ inputs.hide-progress }}' - '-q ${{ inputs.skip-files }}' - '-r ${{ inputs.list-all-pkgs }}' - '-s ${{ inputs.scanners }}' - '-t ${{ inputs.trivyignores }}' - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' - '-y ${{ inputs.docker-host }}'