Skip to content

Commit a56792e

Browse files
DmitriyLewenDmitriyLewen
committed
docs: add env and config file to Customizing
1 parent 778c276 commit a56792e

File tree

1 file changed

+42
-27
lines changed

1 file changed

+42
-27
lines changed

README.md

Lines changed: 42 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ secret:
8383
config: config/trivy/secret.yaml
8484
```
8585

86-
It is possible to define all Trivy options (including flags not supported by [inputs](#inputs) such as `--secret-config`) in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
86+
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
8787
- `scan-ref`: If using `fs, repo` scans.
8888
- `image-ref`: If using `image` scan.
8989
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
@@ -481,40 +481,55 @@ jobs:
481481

482482
## Customizing
483483

484+
Configuration priority:
485+
- [Inputs](#inputs)
486+
- [Environment variables](#environment-variables)
487+
- [Trivy config file](#trivy-config-file)
488+
- Default values
489+
490+
484491
### inputs
485492

486493
Following inputs can be used as `step.with` keys:
487494

488-
| Name | Type | Default | Description |
489-
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
490-
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
491-
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
492-
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
493-
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
494-
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
495-
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
496-
| `tf-vars` | String | | path to Terraform variables file |
497-
| `output` | String | | Save results to a file |
498-
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
499-
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
500-
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
501-
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
502-
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
503-
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
504-
| `cache-dir` | String | | Cache directory |
505-
| `timeout` | String | `5m0s` | Scan timeout duration |
506-
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
507-
| `hide-progress` | String | `true` | Suppress progress bar |
508-
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
509-
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
510-
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
511-
| `trivy-config` | String | | Path to trivy.yaml config |
512-
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
513-
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
495+
| Name | Type | Default | Description |
496+
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
497+
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
498+
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
499+
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
500+
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
501+
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
502+
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
503+
| `tf-vars` | String | | path to Terraform variables file |
504+
| `output` | String | | Save results to a file |
505+
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
506+
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
507+
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
508+
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
509+
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
510+
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
511+
| `cache-dir` | String | | Cache directory |
512+
| `timeout` | String | `5m0s` | Scan timeout duration |
513+
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
514+
| `hide-progress` | String | `true` | Suppress progress bar |
515+
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
516+
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
517+
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
518+
| `trivy-config` | String | | Path to trivy.yaml config |
519+
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
520+
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
521+
522+
### Environment variables
523+
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
524+
525+
### Trivy config file
526+
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
514527

515528
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
516529
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
517530
[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy
518531
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
519532
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
520533
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
534+
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
535+
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/

0 commit comments

Comments
 (0)