You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1975dcb126
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com> |
3 years ago | |
---|---|---|
docs/images | 4 years ago | |
.gitignore | 4 years ago | |
LICENSE | 4 years ago | |
README.md | 3 years ago | |
action.yaml | 3 years ago | |
workflow.yml | 3 years ago |
README.md
Trivy Action
GitHub Action for Trivy
Table of Contents
Usage
Workflow
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
Using Trivy with GitHub Code Scanning
If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
Customizing
inputs
Following inputs can be used as step.with
keys:
Name | Type | Default | Description |
---|---|---|---|
image-ref |
String | Image reference, e.g. alpine:3.10.2 |
|
format |
String | table |
Output format (table , json , template ) |
template |
String | Output template (@/contrib/sarif.tpl , @/contrib/gitlab.tpl , @/contrib/junit.tpl ) |
|
output |
String | Save results to a file | |
exit-code |
String | 0 |
Exit code when vulnerabilities were found |
ignore-unfixed |
Boolean | false | Ignore unpatched/unfixed vulnerabilities |
vuln-type |
String | os,library |
Vulnerability types (os,library) |
severity |
String | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
Severities of vulnerabilities to be displayed |