Avoid repeatedly setting up Trivy if called multiple times with same args in same workflow #6

rvesse · 2024-10-14T09:14:09Z

We have a number of workflows with steps like the following:

Pre-download the Trivy Java DB (so we can cache it - this part of our workflow predates the introduction of caching directly into trivy-action and we may remove this in the future)
Run a Trivy scan with exit-code: 0 to get a full report of all vulnerabilities
Run another Trivy scan with exit-code: 1 and severity: HIGH,CRITICAL to fail our build if any High/Critical vulnerabilities are present

Here's an example of this - https://github.com/telicent-oss/shared-workflows/blob/main/.github/workflows/maven.yml#L230-L268

Since trivy-action refactored itself to be a composite action it now uses this setup-trivy action to ensure trivy is installed and available. However it doesn't include any logic to avoid repeated work so this now results in our workflows downloading and installing Trivy 3 times e.g.

2024-10-14T08:41:24.5563308Z ##[group]Run aquasecurity/trivy-action@master
2024-10-14T08:41:24.5563720Z with:
2024-10-14T08:41:24.5563952Z   scan-type: fs
2024-10-14T08:41:24.5564228Z   output: trivy-report.json
2024-10-14T08:41:24.5564523Z   format: json
2024-10-14T08:41:24.5564779Z   scan-ref: .
2024-10-14T08:41:24.5565016Z   exit-code: 0
2024-10-14T08:41:24.5565270Z   cache-dir: .trivy
2024-10-14T08:41:24.5565544Z   ignore-unfixed: false
2024-10-14T08:41:24.5565827Z   vuln-type: os,library
2024-10-14T08:41:24.5566154Z   severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2024-10-14T08:41:24.5566537Z   list-all-pkgs: false
2024-10-14T08:41:24.5566815Z   version: v0.56.1
2024-10-14T08:41:24.5567065Z   cache: true
2024-10-14T08:41:24.5567480Z env:
2024-10-14T08:41:24.5567709Z   MAVEN_USERNAME: 
2024-10-14T08:41:24.5567978Z   MAVEN_PASSWORD: 
2024-10-14T08:41:24.5568395Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5569080Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5569577Z ##[endgroup]
2024-10-14T08:41:24.5802835Z ##[group]Run aquasecurity/[email protected]
2024-10-14T08:41:24.5803202Z with:
2024-10-14T08:41:24.5803436Z   version: v0.56.1
2024-10-14T08:41:24.5803691Z   cache: true
2024-10-14T08:41:24.5804113Z env:
2024-10-14T08:41:24.5804332Z   MAVEN_USERNAME: 
2024-10-14T08:41:24.5804590Z   MAVEN_PASSWORD: 
2024-10-14T08:41:24.5805002Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5805651Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5806143Z ##[endgroup]
2024-10-14T08:41:24.5823288Z ##[group]Run lowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')
2024-10-14T08:41:24.5823898Z �[36;1mlowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')�[0m
2024-10-14T08:41:24.5824447Z �[36;1mecho "PLATFORM=${lowercase_repo}" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5872887Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:24.5873322Z env:
2024-10-14T08:41:24.5873557Z   MAVEN_USERNAME: 
2024-10-14T08:41:24.5873822Z   MAVEN_PASSWORD: 
2024-10-14T08:41:24.5874238Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5874887Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.5875394Z ##[endgroup]
2024-10-14T08:41:24.5985515Z ##[group]Run if [ "X64" == "X86" ]; then
2024-10-14T08:41:24.5985891Z �[36;1mif [ "X64" == "X86" ]; then�[0m
2024-10-14T08:41:24.5986268Z �[36;1m  echo "ARCH=32bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5986653Z �[36;1melif [ "X64" == "X64" ]; then�[0m
2024-10-14T08:41:24.5987014Z �[36;1m  echo "ARCH=64bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5987656Z �[36;1melif [ "X64" == "ARM" ]; then�[0m
2024-10-14T08:41:24.5988040Z �[36;1m  echo "ARCH=arm" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5988418Z �[36;1melif [ "X64" == "ARM64" ]; then�[0m
2024-10-14T08:41:24.5988802Z �[36;1m  echo "ARCH=arm64" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.5989149Z �[36;1melse�[0m
2024-10-14T08:41:24.5989432Z �[36;1m  echo "Unsupported architecture"�[0m
2024-10-14T08:41:24.5989785Z �[36;1m  exit 1�[0m
2024-10-14T08:41:24.5990028Z �[36;1mfi�[0m
2024-10-14T08:41:24.6032768Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:24.6033207Z env:
2024-10-14T08:41:24.6033434Z   MAVEN_USERNAME: 
2024-10-14T08:41:24.6033702Z   MAVEN_PASSWORD: 
2024-10-14T08:41:24.6034115Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6034754Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6035238Z ##[endgroup]
2024-10-14T08:41:24.6118607Z ##[group]Run if [ "true" == "true" ]; then
2024-10-14T08:41:24.6119001Z �[36;1mif [ "true" == "true" ]; then�[0m
2024-10-14T08:41:24.6119384Z �[36;1m  if [ "v0.56.1" == "latest" ]; then�[0m
2024-10-14T08:41:24.6120073Z �[36;1m    echo "Trivy binaries caching for 'latest' tag is not supported"�[0m
2024-10-14T08:41:24.6120561Z �[36;1m  else�[0m
2024-10-14T08:41:24.6120874Z �[36;1m    echo "CACHE=enable" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:24.6121243Z �[36;1m  fi�[0m
2024-10-14T08:41:24.6121483Z �[36;1mfi�[0m
2024-10-14T08:41:24.6164121Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:24.6164558Z env:
2024-10-14T08:41:24.6164784Z   MAVEN_USERNAME: 
2024-10-14T08:41:24.6165051Z   MAVEN_PASSWORD: 
2024-10-14T08:41:24.6165460Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6166106Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6166591Z ##[endgroup]
2024-10-14T08:41:24.6294662Z ##[group]Run jaxxstorm/[email protected]
2024-10-14T08:41:24.6295098Z with:
2024-10-14T08:41:24.6295347Z   repo: aquasecurity/trivy
2024-10-14T08:41:24.6295644Z   tag: v0.56.1
2024-10-14T08:41:24.6295902Z   platform: linux
2024-10-14T08:41:24.6296165Z   arch: 64bit
2024-10-14T08:41:24.6296416Z   cache: enable
2024-10-14T08:41:24.6296783Z   token: ***
2024-10-14T08:41:24.6297050Z   extension-matching: enable
2024-10-14T08:41:24.6297540Z env:
2024-10-14T08:41:24.6297886Z   MAVEN_USERNAME: 
2024-10-14T08:41:24.6298162Z   MAVEN_PASSWORD: 
2024-10-14T08:41:24.6298796Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6299441Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:24.6299926Z ##[endgroup]
2024-10-14T08:41:24.7829091Z ==> System reported platform: linux
2024-10-14T08:41:24.7830022Z ==> Using platform: linux
2024-10-14T08:41:24.7833496Z ==> System reported arch: x64
2024-10-14T08:41:24.7834076Z ==> Using arch: 64bit
2024-10-14T08:41:24.7834698Z ==> Using default file extension matching: .(tar.gz|zip)
2024-10-14T08:41:24.7836195Z ==> Binaries will be located at: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:26.3406901Z Received 8388608 of 37531381 (22.4%), 8.0 MBs/sec
2024-10-14T08:41:26.6215209Z Received 37531381 of 37531381 (100.0%), 27.9 MBs/sec
2024-10-14T08:41:26.6216011Z Cache Size: ~36 MB (37531381 B)
2024-10-14T08:41:26.6243645Z [command]/usr/bin/tar -xf /home/runner/work/_temp/e6c64f2f-bf83-4065-83de-aed179a3e0db/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:26.8141151Z Cache restored successfully
2024-10-14T08:41:26.8221317Z Found trivy in the cache: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:26.8369138Z ##[group]Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
2024-10-14T08:41:26.8369678Z �[36;1mecho "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:26.8418194Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:26.8418623Z env:
2024-10-14T08:41:26.8418853Z   MAVEN_USERNAME: 
2024-10-14T08:41:26.8419126Z   MAVEN_PASSWORD: 
2024-10-14T08:41:26.8419560Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8420200Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8420690Z ##[endgroup]
2024-10-14T08:41:26.8541854Z ##[group]Run actions/cache@v4
2024-10-14T08:41:26.8542162Z with:
2024-10-14T08:41:26.8542407Z   path: .trivy
2024-10-14T08:41:26.8542683Z   key: cache-trivy-2024-10-14
2024-10-14T08:41:26.8543006Z   restore-keys: cache-trivy-
2024-10-14T08:41:26.8543328Z   enableCrossOsArchive: false
2024-10-14T08:41:26.8543646Z   fail-on-cache-miss: false
2024-10-14T08:41:26.8543944Z   lookup-only: false
2024-10-14T08:41:26.8544224Z   save-always: false
2024-10-14T08:41:26.8544494Z env:
2024-10-14T08:41:26.8544721Z   MAVEN_USERNAME: 
2024-10-14T08:41:26.8544991Z   MAVEN_PASSWORD: 
2024-10-14T08:41:26.8545410Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8546060Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:26.8546726Z ##[endgroup]
2024-10-14T08:41:28.5101466Z Received 0 of 685706255 (0.0%), 0.0 MBs/sec
2024-10-14T08:41:29.5106134Z Received 100663296 of 685706255 (14.7%), 48.0 MBs/sec
2024-10-14T08:41:30.5104546Z Received 234881024 of 685706255 (34.3%), 74.6 MBs/sec
2024-10-14T08:41:31.5105159Z Received 343932928 of 685706255 (50.2%), 82.0 MBs/sec
2024-10-14T08:41:32.5108432Z Received 457179136 of 685706255 (66.7%), 87.2 MBs/sec
2024-10-14T08:41:33.5134853Z Received 583008256 of 685706255 (85.0%), 92.7 MBs/sec
2024-10-14T08:41:34.3444738Z Cache Size: ~654 MB (685706255 B)
2024-10-14T08:41:34.3484991Z [command]/usr/bin/tar -xf /home/runner/work/_temp/94eb8c78-35ce-48c5-a51f-38ff8153d958/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:34.5109939Z Received 685706255 of 685706255 (100.0%), 93.4 MBs/sec
2024-10-14T08:41:37.3680404Z Cache restored successfully
2024-10-14T08:41:37.6671034Z Cache restored from key: cache-trivy-2024-10-14
2024-10-14T08:41:37.6789128Z ##[group]Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
2024-10-14T08:41:37.6789620Z �[36;1mecho "$GITHUB_ACTION_PATH" >> $GITHUB_PATH�[0m
2024-10-14T08:41:37.6838672Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:37.6839116Z env:
2024-10-14T08:41:37.6839359Z   MAVEN_USERNAME: 
2024-10-14T08:41:37.6839843Z   MAVEN_PASSWORD: 
2024-10-14T08:41:37.6840270Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.6840920Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.6841603Z   GITHUB_ACTION_PATH: /home/runner/work/_actions/aquasecurity/trivy-action/master
2024-10-14T08:41:37.6842114Z ##[endgroup]
2024-10-14T08:41:37.9639832Z ##[group]Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
2024-10-14T08:41:37.9640965Z �[36;1m# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.�[0m
2024-10-14T08:41:37.9641865Z �[36;1m# This limitation affects how we handle default values and empty inputs.�[0m
2024-10-14T08:41:37.9642585Z �[36;1m# For more information, see: https://github.com/actions/runner/issues/924�[0m
2024-10-14T08:41:37.9643112Z �[36;1m�[0m
2024-10-14T08:41:37.9643653Z �[36;1m# Function to set environment variable only if the input is provided and different from default�[0m
2024-10-14T08:41:37.9644283Z �[36;1mset_env_var_if_provided() {�[0m
2024-10-14T08:41:37.9644639Z �[36;1m  local var_name="$1"�[0m
2024-10-14T08:41:37.9644969Z �[36;1m  local input_value="$2"�[0m
2024-10-14T08:41:37.9645314Z �[36;1m  local default_value="$3"�[0m
2024-10-14T08:41:37.9645641Z �[36;1m�[0m
2024-10-14T08:41:37.9646035Z �[36;1m  if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then�[0m
2024-10-14T08:41:37.9646600Z �[36;1m    echo "$var_name=$input_value" >> $GITHUB_ENV�[0m
2024-10-14T08:41:37.9647004Z �[36;1m  fi�[0m
2024-10-14T08:41:37.9647248Z �[36;1m}�[0m
2024-10-14T08:41:37.9647705Z �[36;1m�[0m
2024-10-14T08:41:37.9648096Z �[36;1m# Set environment variables, handling those with default values�[0m
2024-10-14T08:41:37.9648897Z �[36;1m# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables�[0m
2024-10-14T08:41:37.9649594Z �[36;1mset_env_var_if_provided "TRIVY_INPUT" "" ""�[0m
2024-10-14T08:41:37.9650074Z �[36;1mset_env_var_if_provided "TRIVY_EXIT_CODE" "0" ""�[0m
2024-10-14T08:41:37.9650639Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "false" "false"�[0m
2024-10-14T08:41:37.9651263Z �[36;1mset_env_var_if_provided "TRIVY_PKG_TYPES" "os,library" "os,library"�[0m
2024-10-14T08:41:37.9652087Z �[36;1mset_env_var_if_provided "TRIVY_SEVERITY" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"�[0m
2024-10-14T08:41:37.9652865Z �[36;1mset_env_var_if_provided "TRIVY_FORMAT" "json" "table"�[0m
2024-10-14T08:41:37.9653370Z �[36;1mset_env_var_if_provided "TRIVY_TEMPLATE" "" ""�[0m
2024-10-14T08:41:37.9654078Z �[36;1mset_env_var_if_provided "TRIVY_OUTPUT" "trivy-report.json" ""�[0m
2024-10-14T08:41:37.9654636Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_DIRS" "" ""�[0m
2024-10-14T08:41:37.9655127Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_FILES" "" ""�[0m
2024-10-14T08:41:37.9655610Z �[36;1mset_env_var_if_provided "TRIVY_TIMEOUT" "" ""�[0m
2024-10-14T08:41:37.9656110Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_POLICY" "" ""�[0m
2024-10-14T08:41:37.9656595Z �[36;1mset_env_var_if_provided "TRIVY_QUIET" "" ""�[0m
2024-10-14T08:41:37.9657113Z �[36;1mset_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "false" "false"�[0m
2024-10-14T08:41:37.9657766Z �[36;1mset_env_var_if_provided "TRIVY_SCANNERS" "" ""�[0m
2024-10-14T08:41:37.9658230Z �[36;1mset_env_var_if_provided "TRIVY_CONFIG" "" ""�[0m
2024-10-14T08:41:37.9658692Z �[36;1mset_env_var_if_provided "TRIVY_TF_VARS" "" ""�[0m
2024-10-14T08:41:37.9659180Z �[36;1mset_env_var_if_provided "TRIVY_DOCKER_HOST" "" ""�[0m
2024-10-14T08:41:37.9709281Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:37.9709723Z env:
2024-10-14T08:41:37.9709962Z   MAVEN_USERNAME: 
2024-10-14T08:41:37.9710241Z   MAVEN_PASSWORD: 
2024-10-14T08:41:37.9710680Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9711349Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9712024Z ##[endgroup]
2024-10-14T08:41:37.9806483Z ##[group]Run entrypoint.sh
2024-10-14T08:41:37.9806815Z �[36;1mentrypoint.sh�[0m
2024-10-14T08:41:37.9849691Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:37.9850131Z env:
2024-10-14T08:41:37.9850375Z   MAVEN_USERNAME: 
2024-10-14T08:41:37.9850658Z   MAVEN_PASSWORD: 
2024-10-14T08:41:37.9851092Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9851758Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:37.9852266Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:37.9852556Z   TRIVY_FORMAT: json
2024-10-14T08:41:37.9852862Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:37.9853216Z   INPUT_SCAN_TYPE: fs
2024-10-14T08:41:37.9853498Z   INPUT_IMAGE_REF: 
2024-10-14T08:41:37.9853769Z   INPUT_SCAN_REF: .
2024-10-14T08:41:37.9854048Z   INPUT_TRIVYIGNORES: 
2024-10-14T08:41:37.9854341Z   INPUT_GITHUB_PAT: 
2024-10-14T08:41:37.9854636Z   INPUT_LIMIT_SEVERITIES_FOR_SARIF: 
2024-10-14T08:41:37.9854984Z   TRIVY_CACHE_DIR: .trivy
2024-10-14T08:41:37.9855286Z ##[endgroup]
2024-10-14T08:41:37.9934539Z Running Trivy with options: trivy fs .
2024-10-14T08:41:38.0506210Z 2024-10-14T08:41:38Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-14T08:41:38.0506934Z 2024-10-14T08:41:38Z	INFO	[secret] Secret scanning is enabled
2024-10-14T08:41:38.0508143Z 2024-10-14T08:41:38Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T08:41:38.0509747Z 2024-10-14T08:41:38Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T08:41:39.6183955Z 2024-10-14T08:41:39Z	INFO	Number of language-specific files	num=12
2024-10-14T08:41:39.6185160Z 2024-10-14T08:41:39Z	INFO	[pom] Detecting vulnerabilities...
2024-10-14T08:41:39.6572667Z ##[group]Run actions/upload-artifact@v4
2024-10-14T08:41:39.6573068Z with:
2024-10-14T08:41:39.6573326Z   name: trivy-report
2024-10-14T08:41:39.6573630Z   path: trivy-report.json
2024-10-14T08:41:39.6573941Z   retention-days: 30
2024-10-14T08:41:39.6574236Z   if-no-files-found: warn
2024-10-14T08:41:39.6574538Z   compression-level: 6
2024-10-14T08:41:39.6574832Z   overwrite: false
2024-10-14T08:41:39.6575117Z   include-hidden-files: false
2024-10-14T08:41:39.6575425Z env:
2024-10-14T08:41:39.6575785Z   MAVEN_USERNAME: 
2024-10-14T08:41:39.6576155Z   MAVEN_PASSWORD: 
2024-10-14T08:41:39.6576826Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:39.6577819Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:39.6578509Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:39.6578926Z   TRIVY_FORMAT: json
2024-10-14T08:41:39.6579337Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:39.6579818Z ##[endgroup]
2024-10-14T08:41:39.8694546Z With the provided path, there will be 1 file uploaded
2024-10-14T08:41:39.8700213Z Artifact name is valid!
2024-10-14T08:41:39.8701440Z Root directory input is valid!
2024-10-14T08:41:40.1446384Z Beginning upload of artifact content to blob storage
2024-10-14T08:41:40.3988528Z Uploaded bytes 503
2024-10-14T08:41:40.4660128Z Finished uploading artifact content to blob storage!
2024-10-14T08:41:40.4662734Z SHA256 hash of uploaded artifact zip is eb3662323bdb3bd48084f07301fb0ef8f1448f694f754dba9c5fab43e20cd336
2024-10-14T08:41:40.4664184Z Finalizing artifact upload
2024-10-14T08:41:40.5949815Z Artifact trivy-report.zip successfully finalized. Artifact ID 2052114189
2024-10-14T08:41:40.5951500Z Artifact trivy-report has been successfully uploaded! Final size is 503 bytes. Artifact ID is 2052114189
2024-10-14T08:41:40.5957914Z Artifact download URL: https://github.com/telicent-oss/jwt-servlet-auth/actions/runs/11323718298/artifacts/2052114189
2024-10-14T08:41:40.6183406Z ##[group]Run aquasecurity/trivy-action@master
2024-10-14T08:41:40.6184092Z with:
2024-10-14T08:41:40.6184763Z   scan-type: fs
2024-10-14T08:41:40.6185211Z   format: table
2024-10-14T08:41:40.6185675Z   scan-ref: .
2024-10-14T08:41:40.6186156Z   severity: HIGH,CRITICAL
2024-10-14T08:41:40.6186474Z   ignore-unfixed: true
2024-10-14T08:41:40.6186761Z   exit-code: 1
2024-10-14T08:41:40.6187017Z   cache-dir: .trivy
2024-10-14T08:41:40.6187469Z   vuln-type: os,library
2024-10-14T08:41:40.6187811Z   list-all-pkgs: false
2024-10-14T08:41:40.6188099Z   version: v0.56.1
2024-10-14T08:41:40.6188359Z   cache: true
2024-10-14T08:41:40.6188596Z env:
2024-10-14T08:41:40.6188828Z   MAVEN_USERNAME: 
2024-10-14T08:41:40.6189100Z   MAVEN_PASSWORD: 
2024-10-14T08:41:40.6189522Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6190174Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6190706Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6190987Z   TRIVY_FORMAT: json
2024-10-14T08:41:40.6191281Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6191622Z ##[endgroup]
2024-10-14T08:41:40.6245958Z ##[group]Run aquasecurity/[email protected]
2024-10-14T08:41:40.6246342Z with:
2024-10-14T08:41:40.6246585Z   version: v0.56.1
2024-10-14T08:41:40.6246859Z   cache: true
2024-10-14T08:41:40.6247106Z env:
2024-10-14T08:41:40.6247555Z   MAVEN_USERNAME: 
2024-10-14T08:41:40.6247867Z   MAVEN_PASSWORD: 
2024-10-14T08:41:40.6248303Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6248974Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6249487Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6249771Z   TRIVY_FORMAT: json
2024-10-14T08:41:40.6250071Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6250403Z ##[endgroup]
2024-10-14T08:41:40.6275170Z ##[group]Run lowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')
2024-10-14T08:41:40.6275803Z �[36;1mlowercase_repo=$(echo "Linux" | tr '[:upper:]' '[:lower:]')�[0m
2024-10-14T08:41:40.6276387Z �[36;1mecho "PLATFORM=${lowercase_repo}" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6324834Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:40.6325274Z env:
2024-10-14T08:41:40.6325511Z   MAVEN_USERNAME: 
2024-10-14T08:41:40.6325796Z   MAVEN_PASSWORD: 
2024-10-14T08:41:40.6326222Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6326868Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6327528Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6327813Z   TRIVY_FORMAT: json
2024-10-14T08:41:40.6328109Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6328439Z ##[endgroup]
2024-10-14T08:41:40.6438385Z ##[group]Run if [ "X64" == "X86" ]; then
2024-10-14T08:41:40.6438769Z �[36;1mif [ "X64" == "X86" ]; then�[0m
2024-10-14T08:41:40.6439176Z �[36;1m  echo "ARCH=32bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6439576Z �[36;1melif [ "X64" == "X64" ]; then�[0m
2024-10-14T08:41:40.6439966Z �[36;1m  echo "ARCH=64bit" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6440368Z �[36;1melif [ "X64" == "ARM" ]; then�[0m
2024-10-14T08:41:40.6440748Z �[36;1m  echo "ARCH=arm" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6441134Z �[36;1melif [ "X64" == "ARM64" ]; then�[0m
2024-10-14T08:41:40.6441535Z �[36;1m  echo "ARCH=arm64" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6441897Z �[36;1melse�[0m
2024-10-14T08:41:40.6442195Z �[36;1m  echo "Unsupported architecture"�[0m
2024-10-14T08:41:40.6442564Z �[36;1m  exit 1�[0m
2024-10-14T08:41:40.6442830Z �[36;1mfi�[0m
2024-10-14T08:41:40.6485965Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:40.6486396Z env:
2024-10-14T08:41:40.6486633Z   MAVEN_USERNAME: 
2024-10-14T08:41:40.6486913Z   MAVEN_PASSWORD: 
2024-10-14T08:41:40.6487619Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6488505Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6489023Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6489443Z   TRIVY_FORMAT: json
2024-10-14T08:41:40.6489742Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6490072Z ##[endgroup]
2024-10-14T08:41:40.6577783Z ##[group]Run if [ "true" == "true" ]; then
2024-10-14T08:41:40.6578208Z �[36;1mif [ "true" == "true" ]; then�[0m
2024-10-14T08:41:40.6578611Z �[36;1m  if [ "v0.56.1" == "latest" ]; then�[0m
2024-10-14T08:41:40.6579144Z �[36;1m    echo "Trivy binaries caching for 'latest' tag is not supported"�[0m
2024-10-14T08:41:40.6579646Z �[36;1m  else�[0m
2024-10-14T08:41:40.6579988Z �[36;1m    echo "CACHE=enable" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:40.6580375Z �[36;1m  fi�[0m
2024-10-14T08:41:40.6580631Z �[36;1mfi�[0m
2024-10-14T08:41:40.6623378Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:40.6623818Z env:
2024-10-14T08:41:40.6624062Z   MAVEN_USERNAME: 
2024-10-14T08:41:40.6624356Z   MAVEN_PASSWORD: 
2024-10-14T08:41:40.6624786Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6625451Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6625953Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6626232Z   TRIVY_FORMAT: json
2024-10-14T08:41:40.6626538Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6626884Z ##[endgroup]
2024-10-14T08:41:40.6759760Z ##[group]Run jaxxstorm/[email protected]
2024-10-14T08:41:40.6760211Z with:
2024-10-14T08:41:40.6760479Z   repo: aquasecurity/trivy
2024-10-14T08:41:40.6760797Z   tag: v0.56.1
2024-10-14T08:41:40.6761064Z   platform: linux
2024-10-14T08:41:40.6761343Z   arch: 64bit
2024-10-14T08:41:40.6761598Z   cache: enable
2024-10-14T08:41:40.6761975Z   token: ***
2024-10-14T08:41:40.6762257Z   extension-matching: enable
2024-10-14T08:41:40.6762573Z env:
2024-10-14T08:41:40.6762810Z   MAVEN_USERNAME: 
2024-10-14T08:41:40.6763088Z   MAVEN_PASSWORD: 
2024-10-14T08:41:40.6763531Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6764198Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:40.6764703Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:40.6764992Z   TRIVY_FORMAT: json
2024-10-14T08:41:40.6765291Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:40.6765623Z ##[endgroup]
2024-10-14T08:41:40.8309634Z ==> System reported platform: linux
2024-10-14T08:41:40.8310769Z ==> Using platform: linux
2024-10-14T08:41:40.8313376Z ==> System reported arch: x64
2024-10-14T08:41:40.8313975Z ==> Using arch: 64bit
2024-10-14T08:41:40.8314900Z ==> Using default file extension matching: .(tar.gz|zip)
2024-10-14T08:41:40.8316634Z ==> Binaries will be located at: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:42.4093680Z Received 8388608 of 37531381 (22.4%), 8.0 MBs/sec
2024-10-14T08:41:42.7284759Z Received 37531381 of 37531381 (100.0%), 27.1 MBs/sec
2024-10-14T08:41:42.7285800Z Cache Size: ~36 MB (37531381 B)
2024-10-14T08:41:42.7315931Z [command]/usr/bin/tar -xf /home/runner/work/_temp/2236305b-ea26-4eef-b6b2-a5334489f6d8/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:42.9571509Z Cache restored successfully
2024-10-14T08:41:42.9659393Z Found trivy in the cache: /opt/hostedtoolcache/aquasecurity/trivy/v0.56.1/linux-64bit
2024-10-14T08:41:42.9890440Z ##[group]Run echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
2024-10-14T08:41:42.9891364Z �[36;1mecho "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:42.9946579Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:42.9947037Z env:
2024-10-14T08:41:42.9947466Z   MAVEN_USERNAME: 
2024-10-14T08:41:42.9947969Z   MAVEN_PASSWORD: 
2024-10-14T08:41:42.9948646Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:42.9949944Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:42.9950810Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:42.9951307Z   TRIVY_FORMAT: json
2024-10-14T08:41:42.9952007Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:42.9952583Z ##[endgroup]
2024-10-14T08:41:43.0226240Z ##[group]Run actions/cache@v4
2024-10-14T08:41:43.0226835Z with:
2024-10-14T08:41:43.0227148Z   path: .trivy
2024-10-14T08:41:43.0227642Z   key: cache-trivy-2024-10-14
2024-10-14T08:41:43.0227992Z   restore-keys: cache-trivy-
2024-10-14T08:41:43.0228334Z   enableCrossOsArchive: false
2024-10-14T08:41:43.0228678Z   fail-on-cache-miss: false
2024-10-14T08:41:43.0228995Z   lookup-only: false
2024-10-14T08:41:43.0229281Z   save-always: false
2024-10-14T08:41:43.0229557Z env:
2024-10-14T08:41:43.0229796Z   MAVEN_USERNAME: 
2024-10-14T08:41:43.0230084Z   MAVEN_PASSWORD: 
2024-10-14T08:41:43.0230524Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:43.0231226Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:43.0231755Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:43.0232045Z   TRIVY_FORMAT: json
2024-10-14T08:41:43.0232365Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:43.0232702Z ##[endgroup]
2024-10-14T08:41:44.6439364Z Received 4194304 of 685706255 (0.6%), 4.0 MBs/sec
2024-10-14T08:41:45.6444016Z Received 109051904 of 685706255 (15.9%), 52.0 MBs/sec
2024-10-14T08:41:46.6449329Z Received 234881024 of 685706255 (34.3%), 74.6 MBs/sec
2024-10-14T08:41:47.6455977Z Received 343932928 of 685706255 (50.2%), 82.0 MBs/sec
2024-10-14T08:41:48.6453611Z Received 465567744 of 685706255 (67.9%), 88.8 MBs/sec
2024-10-14T08:41:49.6454591Z Received 574619648 of 685706255 (83.8%), 91.3 MBs/sec
2024-10-14T08:41:50.5401949Z Cache Size: ~654 MB (685706255 B)
2024-10-14T08:41:50.5443705Z [command]/usr/bin/tar -xf /home/runner/work/_temp/83221014-e858-4a5b-b82d-602997efe21a/cache.tzst -P -C /home/runner/work/jwt-servlet-auth/jwt-servlet-auth --use-compress-program unzstd
2024-10-14T08:41:50.6456412Z Received 685706255 of 685706255 (100.0%), 93.4 MBs/sec
2024-10-14T08:41:53.0321652Z Cache restored successfully
2024-10-14T08:41:53.5180855Z Cache restored from key: cache-trivy-2024-10-14
2024-10-14T08:41:53.5687162Z ##[group]Run echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
2024-10-14T08:41:53.5687959Z �[36;1mecho "$GITHUB_ACTION_PATH" >> $GITHUB_PATH�[0m
2024-10-14T08:41:53.5737235Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:53.5737809Z env:
2024-10-14T08:41:53.5738077Z   MAVEN_USERNAME: 
2024-10-14T08:41:53.5738381Z   MAVEN_PASSWORD: 
2024-10-14T08:41:53.5738830Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.5739515Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.5740053Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:53.5740353Z   TRIVY_FORMAT: json
2024-10-14T08:41:53.5740671Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:53.5741240Z   GITHUB_ACTION_PATH: /home/runner/work/_actions/aquasecurity/trivy-action/master
2024-10-14T08:41:53.5741780Z ##[endgroup]
2024-10-14T08:41:53.7151555Z ##[group]Run # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
2024-10-14T08:41:53.7152709Z �[36;1m# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.�[0m
2024-10-14T08:41:53.7153608Z �[36;1m# This limitation affects how we handle default values and empty inputs.�[0m
2024-10-14T08:41:53.7154480Z �[36;1m# For more information, see: https://github.com/actions/runner/issues/924�[0m
2024-10-14T08:41:53.7155035Z �[36;1m�[0m
2024-10-14T08:41:53.7155582Z �[36;1m# Function to set environment variable only if the input is provided and different from default�[0m
2024-10-14T08:41:53.7156244Z �[36;1mset_env_var_if_provided() {�[0m
2024-10-14T08:41:53.7156618Z �[36;1m  local var_name="$1"�[0m
2024-10-14T08:41:53.7156975Z �[36;1m  local input_value="$2"�[0m
2024-10-14T08:41:53.7157798Z �[36;1m  local default_value="$3"�[0m
2024-10-14T08:41:53.7158179Z �[36;1m�[0m
2024-10-14T08:41:53.7158606Z �[36;1m  if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then�[0m
2024-10-14T08:41:53.7159352Z �[36;1m    echo "$var_name=$input_value" >> $GITHUB_ENV�[0m
2024-10-14T08:41:53.7159780Z �[36;1m  fi�[0m
2024-10-14T08:41:53.7160044Z �[36;1m}�[0m
2024-10-14T08:41:53.7160301Z �[36;1m�[0m
2024-10-14T08:41:53.7160711Z �[36;1m# Set environment variables, handling those with default values�[0m
2024-10-14T08:41:53.7161527Z �[36;1m# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables�[0m
2024-10-14T08:41:53.7162239Z �[36;1mset_env_var_if_provided "TRIVY_INPUT" "" ""�[0m
2024-10-14T08:41:53.7162742Z �[36;1mset_env_var_if_provided "TRIVY_EXIT_CODE" "1" ""�[0m
2024-10-14T08:41:53.7163310Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "true" "false"�[0m
2024-10-14T08:41:53.7163954Z �[36;1mset_env_var_if_provided "TRIVY_PKG_TYPES" "os,library" "os,library"�[0m
2024-10-14T08:41:53.7164732Z �[36;1mset_env_var_if_provided "TRIVY_SEVERITY" "HIGH,CRITICAL" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"�[0m
2024-10-14T08:41:53.7165459Z �[36;1mset_env_var_if_provided "TRIVY_FORMAT" "table" "table"�[0m
2024-10-14T08:41:53.7165997Z �[36;1mset_env_var_if_provided "TRIVY_TEMPLATE" "" ""�[0m
2024-10-14T08:41:53.7166592Z �[36;1mset_env_var_if_provided "TRIVY_OUTPUT" "" ""�[0m
2024-10-14T08:41:53.7167090Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_DIRS" "" ""�[0m
2024-10-14T08:41:53.7167850Z �[36;1mset_env_var_if_provided "TRIVY_SKIP_FILES" "" ""�[0m
2024-10-14T08:41:53.7168381Z �[36;1mset_env_var_if_provided "TRIVY_TIMEOUT" "" ""�[0m
2024-10-14T08:41:53.7168897Z �[36;1mset_env_var_if_provided "TRIVY_IGNORE_POLICY" "" ""�[0m
2024-10-14T08:41:53.7169403Z �[36;1mset_env_var_if_provided "TRIVY_QUIET" "" ""�[0m
2024-10-14T08:41:53.7169948Z �[36;1mset_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "false" "false"�[0m
2024-10-14T08:41:53.7170504Z �[36;1mset_env_var_if_provided "TRIVY_SCANNERS" "" ""�[0m
2024-10-14T08:41:53.7170999Z �[36;1mset_env_var_if_provided "TRIVY_CONFIG" "" ""�[0m
2024-10-14T08:41:53.7171484Z �[36;1mset_env_var_if_provided "TRIVY_TF_VARS" "" ""�[0m
2024-10-14T08:41:53.7171992Z �[36;1mset_env_var_if_provided "TRIVY_DOCKER_HOST" "" ""�[0m
2024-10-14T08:41:53.7221289Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:53.7221737Z env:
2024-10-14T08:41:53.7222001Z   MAVEN_USERNAME: 
2024-10-14T08:41:53.7222295Z   MAVEN_PASSWORD: 
2024-10-14T08:41:53.7222751Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.7223415Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.7223942Z   TRIVY_EXIT_CODE: 0
2024-10-14T08:41:53.7224235Z   TRIVY_FORMAT: json
2024-10-14T08:41:53.7224554Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:53.7224910Z ##[endgroup]
2024-10-14T08:41:53.9044049Z ##[group]Run entrypoint.sh
2024-10-14T08:41:53.9044419Z �[36;1mentrypoint.sh�[0m
2024-10-14T08:41:53.9093177Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2024-10-14T08:41:53.9093643Z env:
2024-10-14T08:41:53.9093904Z   MAVEN_USERNAME: 
2024-10-14T08:41:53.9094203Z   MAVEN_PASSWORD: 
2024-10-14T08:41:53.9094648Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.9095328Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:53.9095847Z   TRIVY_EXIT_CODE: 1
2024-10-14T08:41:53.9096148Z   TRIVY_FORMAT: json
2024-10-14T08:41:53.9096456Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:53.9096827Z   TRIVY_IGNORE_UNFIXED: true
2024-10-14T08:41:53.9097174Z   TRIVY_SEVERITY: HIGH,CRITICAL
2024-10-14T08:41:53.9097786Z   INPUT_SCAN_TYPE: fs
2024-10-14T08:41:53.9098090Z   INPUT_IMAGE_REF: 
2024-10-14T08:41:53.9098374Z   INPUT_SCAN_REF: .
2024-10-14T08:41:53.9098666Z   INPUT_TRIVYIGNORES: 
2024-10-14T08:41:53.9098966Z   INPUT_GITHUB_PAT: 
2024-10-14T08:41:53.9099281Z   INPUT_LIMIT_SEVERITIES_FOR_SARIF: 
2024-10-14T08:41:53.9099811Z   TRIVY_CACHE_DIR: .trivy
2024-10-14T08:41:53.9100132Z ##[endgroup]
2024-10-14T08:41:53.9184181Z Running Trivy with options: trivy fs .
2024-10-14T08:41:53.9809018Z 2024-10-14T08:41:53Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-14T08:41:53.9809749Z 2024-10-14T08:41:53Z	INFO	[secret] Secret scanning is enabled
2024-10-14T08:41:53.9810656Z 2024-10-14T08:41:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T08:41:53.9812014Z 2024-10-14T08:41:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T08:41:55.5352791Z 2024-10-14T08:41:55Z	INFO	Number of language-specific files	num=12
2024-10-14T08:41:55.5354051Z 2024-10-14T08:41:55Z	INFO	[pom] Detecting vulnerabilities...
2024-10-14T08:41:55.5726236Z ##[group]Run echo version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) >> $GITHUB_OUTPUT
2024-10-14T08:41:55.5727684Z �[36;1mecho version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) >> $GITHUB_OUTPUT�[0m
2024-10-14T08:41:55.5776866Z shell: /usr/bin/bash -e {0}
2024-10-14T08:41:55.5777211Z env:
2024-10-14T08:41:55.5777763Z   MAVEN_USERNAME: 
2024-10-14T08:41:55.5778074Z   MAVEN_PASSWORD: 
2024-10-14T08:41:55.5778521Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:55.5779207Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.12-7/x64
2024-10-14T08:41:55.5779743Z   TRIVY_EXIT_CODE: 1
2024-10-14T08:41:55.5780050Z   TRIVY_FORMAT: json
2024-10-14T08:41:55.5780371Z   TRIVY_OUTPUT: trivy-report.json
2024-10-14T08:41:55.5780736Z   TRIVY_IGNORE_UNFIXED: true
2024-10-14T08:41:55.5781074Z   TRIVY_SEVERITY: HIGH,CRITICAL
2024-10-14T08:41:55.5781456Z ##[endgroup]

This is from https://github.com/telicent-oss/jwt-servlet-auth/actions/runs/11323718298/job/31487698417 if you want to see the GitHub Actions output directly, copied and pasted relevant sections above as Actions workflow logs expire after a time. Note that run was still using v0.1.0 of the setup-trivy action but the same issue can be seen even if explicitly using v0.2.0, I've put together a small test repository with various example workflows at https://github.com/rvesse/setup-trivy-debugging

With the previous docker based trivy action this wasn't an issue as GitHub Actions would build the image once and then use it each time we involved the trivy-action

(Aside - Yes you have the option of caching the binary install in which case steps would be skipped BUT caching doesn't work with latest version and for my company we always want to be using the latest version)

One possibility might be to set an environment variable at the conclusion of the composite action and use that to make subsequent invocations conditional, but there could be other ways, I'll throw together a quick PR for you guys to look at but feel free to solve this other ways as well.

The text was updated successfully, but these errors were encountered:

This commit adds tracking and detection of when the current job has already called setup-trivy (whether directly/indirectly) and avoids repeatedly installing it once it has been installed

rvesse · 2024-10-14T10:24:41Z

Proposed fix at #7

This commit adds tracking and detection of when the current job has already called setup-trivy (whether directly/indirectly) and avoids repeatedly installing it once it has been installed

rvesse · 2024-10-16T08:32:31Z

Resolved by alternative means in aquasecurity/trivy-action#414

rvesse mentioned this issue Oct 14, 2024

Avoid repeat installs (#6) #7

Closed

rvesse mentioned this issue Oct 15, 2024

feat: Allow skipping setup aquasecurity/trivy-action#414

Merged

rvesse closed this as completed Oct 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Avoid repeatedly setting up Trivy if called multiple times with same args in same workflow #6

Avoid repeatedly setting up Trivy if called multiple times with same args in same workflow #6

rvesse commented Oct 14, 2024

rvesse commented Oct 14, 2024

rvesse commented Oct 16, 2024

Avoid repeatedly setting up Trivy if called multiple times with same args in same workflow #6

Avoid repeatedly setting up Trivy if called multiple times with same args in same workflow #6

Comments

rvesse commented Oct 14, 2024

rvesse commented Oct 14, 2024

rvesse commented Oct 16, 2024