andrew_zah
/
trivy-action
mirror of https://github.com/aquasecurity/trivy-action
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 Commits
16 Branches
59 Tags
1.5 MiB
Shell 88%
HCL 10.2%
Dockerfile 1.3%
Makefile 0.5%
 
 
 
 
use-pinned-version
master
update-to-v0.45.0
update-trivy-v0.43.1
bump-trivy-3
bump-trivy
add-support-for-trivy-config
fix-golden-files
exit-code-test
update-tarball-docs
volume-mounts
update-readme
revert-45-fix_sarif_duplicate_rule_id
knqyf263-patch-1
artifact_types
sarif-support-2
0.0.1
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.2
0.0.20
0.0.21
0.0.22
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.1.0
0.10.0
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.13.1
0.14.0
0.15.0
0.16.0
0.16.1
0.17.0
0.18.0
0.19.0
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.20.0
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.8.0
0.9.0
0.9.1
0.9.2
v0.0.10
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'revert-45-fix_sarif_duplicate_rule_id'
${ noResults }
Go to file
Simar e0bba9a46a Revert "Use fixed Sarif template (#45)" 
This reverts commit 4ef054abe6.
 		3 years ago
docs/images docs: Update README.md 4 years ago
.gitignore feat: Add exit-code to Trivy args (#1) 4 years ago
Dockerfile Revert "Use fixed Sarif template (#45)" 3 years ago
LICENSE docs: Add badges (#6) 4 years ago
README.md Improve Readme to remove docker build step (#43) 3 years ago
action.yaml feat: add support for cache dire and timeout inputs (#35) 3 years ago
entrypoint.sh Pin docker image, and update skip dirs argument passing to trivy (#41) 3 years ago
workflow.yml Add vuln-type parameter (#19) 3 years ago

README.md

Trivy Action

GitHub Action for Trivy

GitHub Release GitHub Marketplace License

Table of Contents

Usage

Workflow

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      
      - name: Build an image from Dockerfile
        run: |
                    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

Using Trivy with GitHub Code Scanning

If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build an image from Dockerfile
        run: |
                    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml

Using Trivy to scan your Git repo

It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.

If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

Using Trivy to scan your private registry

It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.

Docker Hub registry

Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD. You don't need to set ENV vars when downloading from a public repository.

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
        env:
          TRIVY_USERNAME: Username
          TRIVY_PASSWORD: Password        

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

AWS ECR (Elastic Container Registry)

Trivy uses AWS SDK. You don't need to install aws CLI tool. You can use AWS CLI's ENV Vars.

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
        env:
          AWS_ACCESS_KEY_ID: key_id
          AWS_SECRET_ACCESS_KEY: access_key
          AWS_DEFAULT_REGION: us-west-2

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

GCR (Google Container Registry)

Trivy uses Google Cloud SDK. You don't need to install gcloud command.

If you want to use target project's repository, you can set it via GOOGLE_APPLICATION_CREDENTIAL.

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
        env:
          GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

Self-Hosted

BasicAuth server needs TRIVY_USERNAME and TRIVY_PASSWORD. if you want to use 80 port, use NonSSL TRIVY_NON_SSL=true

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
        env:
          TRIVY_USERNAME: Username
          TRIVY_PASSWORD: Password        

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

Customizing

inputs

Following inputs can be used as step.with keys:

Name Type Default Description
scan-type String image Scan type, e.g. image or fs
input String Tar reference, e.g. alpine-latest.tar
image-ref String Image reference, e.g. alpine:3.10.2
scan-ref String /github/workspace/ Scan reference, e.g. /github/workspace/ or .
format String table Output format (table, json, template)
template String Output template (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl)
output String Save results to a file
exit-code String 0 Exit code when vulnerabilities were found
ignore-unfixed Boolean false Ignore unpatched/unfixed vulnerabilities
vuln-type String os,library Vulnerability types (os,library)
severity String UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL Severities of vulnerabilities to be displayed
skip-dirs String Comma separated list of directories where traversal is skipped
cache-dir String Cache directory
timeout String 2m0s Scan timeout duration