Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bump setup-trivy and add new contrib directory path info #424

Merged
merged 8 commits into from
Oct 25, 2024
Merged

fix: bump setup-trivy and add new contrib directory path info #424

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
74f2f25
chore(deps): use fork for setup-trivy
DmitriyLewen Oct 22, 2024
a24d142
docs: add info about templates
DmitriyLewen Oct 22, 2024
e00c0f1
refactor: use `setup-trivy` v0.2.2
DmitriyLewen Oct 24, 2024
5db2d16
docs: remove `./` prefix
DmitriyLewen Oct 24, 2024
0994b12
Merge branch 'main' into 'fix/contrib-dir'
DmitriyLewen Oct 25, 2024
81f42ef
Merge branch 'master' into 'fix/contrib-dir'
DmitriyLewen Oct 25, 2024
0839530
docs: fix link
DmitriyLewen Oct 25, 2024
f17a808
docs: fix typo
DmitriyLewen Oct 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 63 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
* [Cache](#cache)
* [Trivy Setup](#trivy-setup)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with templates](#using-trivy-with-templates)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
* [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)
Expand Down Expand Up @@ -323,6 +324,64 @@ jobs:
severity: 'CRITICAL,HIGH'
```

### Using Trivy with templates
The action supports [Trivy templates][trivy-templates].

Use `template` input to specify path (remember to prefix the path with `@`) to template file.

```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: "fs"
scan-ref: .
format: 'template'
template: "@path/to/my_template.tpl"
```

#### Default templates
Trivy has [default templates][trivy-default-templates].

By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory.

```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: "fs"
scan-ref: .
format: 'template'
template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl"
```

### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
Expand Down Expand Up @@ -771,7 +830,7 @@ Following inputs can be used as `step.with` keys:
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
Expand All @@ -791,7 +850,7 @@ Following inputs can be used as `step.with` keys:
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
| `version` | String | `v0.56.2` | Trivy version to use, e.g. `latest` or `v0.56.2` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |

Expand All @@ -809,3 +868,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template
[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates
Loading