Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities

github-actions scanner scanning devsecops tools vulnerability security

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Daniel Pacak 1975dcb126 feat: Artifact types Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>		3 years ago
docs/images	docs: Update README.md	4 years ago
.gitignore	feat: Add exit-code to Trivy args (#1 )	4 years ago
LICENSE	docs: Add badges (#6 )	4 years ago
README.md	Add vuln-type parameter (#19 )	3 years ago
action.yaml	feat: Artifact types	3 years ago
workflow.yml	Add vuln-type parameter (#19 )	3 years ago

README.md

Trivy Action

GitHub Action for Trivy

Usage
- Workflow
Customizing
- Inputs

Usage

Workflow

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      
      - name: Build an image from Dockerfile
        run: |
                    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

Using Trivy with GitHub Code Scanning

If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build an image from Dockerfile
        run: |
                    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml

Customizing

inputs

Following inputs can be used as step.with keys:

Name	Type	Default	Description
`image-ref`	String		Image reference, e.g. `alpine:3.10.2`
`format`	String	`table`	Output format (`table`, `json`, `template`)
`template`	String		Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)
`output`	String		Save results to a file
`exit-code`	String	`0`	Exit code when vulnerabilities were found
`ignore-unfixed`	Boolean	false	Ignore unpatched/unfixed vulnerabilities
`vuln-type`	String	`os,library`	Vulnerability types (os,library)
`severity`	String	`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`	Severities of vulnerabilities to be displayed