Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities

github-actions scanner scanning devsecops tools vulnerability security

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Simarpreet Singh 040f2f6248 docs: Fix docs and add improved example repo Signed-off-by: Simarpreet Singh <simar@linux.com>		4 years ago
docs/images	docs: Update README.md	4 years ago
.gitignore	feat: Add exit-code to Trivy args (#1 )	4 years ago
LICENSE	docs: Add badges (#6 )	4 years ago
README.md	docs: Fix docs and add improved example repo	4 years ago
action.yaml	docs: Fix docs and add improved example repo	4 years ago

README.md

Trivy Action

GitHub Action for Trivy

Usage
- Workflow
Customizing
- Inputs

Usage

Workflow

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Setup Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.14
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Build an image from Dockerfile
        run: |
                    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run vulnerability scanner
        uses: aquasecurity/trivy-action@0.0.7
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'

Using Trivy with GitHub Code Scanning

If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      - name: Setup Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.14
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1
      - name: Build an image from Dockerfile
        run: |
                    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results to Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo

Customizing

inputs

Following inputs can be used as step.with keys:

Name	Type	Default	Description
`image-ref`	String		Image reference, e.g. `alpine:3.10.2`
`format`	String	`table`	Output format (`table`, `json`, `template`)
`template`	String		Output template (`@/contrib/sarif.tpl`, `@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)
`output`	String		Save results to a file
`exit-code`	String	`0`	Exit code when vulnerabilities were found
`ignore-unfixed`	Boolean	false	Ignore unpatched/unfixed vulnerabilities
`severity`	String	`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`	Severities of vulnerabilities to be displayed