github-actions/trivy-fs-scan/action.yaml at 7aaaea50b9ed4a4c85fc37fb429b542750402ee6 · hypertrace/github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Trivy FS Scan
description: 'Trivy File System Scan'
inputs:
  scan-ref:
    description: 'scan reference'
    default: '.'
  ignore-unfixed:
    description: 'ignore unfixed vulnerabilities'
    required: true
    default: 'true'
  vuln-type:
    description: 'comma-separated list of vulnerability types (os,library)'
    required: true
    default: 'library'
  severity:
    description: 'severities of vulnerabilities to be displayed'
    required: true
    default: 'HIGH,CRITICAL'
  timeout:
    description: 'timeout (default 5m0s)'
    required: true
    default: '5m0s'
  trivyignores:
    description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
    required: true
    default: '.trivyignore'
  output-mode:
    description: 'Upload to github security via sarif format (github), or output to a file named "trivy.json" (json), or log pretty print output (log)'
    required: true
    default: 'log'
  category:
    description: String used by Code Scanning for matching the analyses
    required: false
    default: ''
  skip-dirs:
    description: skip directories from scan
    required: false
    default: ''
  skip-files:
    description: skip files from scan
    required: false
    default: ''

runs:
  using: "composite"
  steps:
    - name: Set up output values
      id: output
      shell: bash
      run: |
        TRIVY_FORMAT=""
        TRIVY_OUTPUT=""
        if [ "${{ inputs.output-mode }}" = "github" ]; then
          TRIVY_FORMAT="sarif"
          TRIVY_OUTPUT="''trivy-results.sarif''"
        elif [ "${{ inputs.output-mode }}" = "json" ]; then
          TRIVY_FORMAT="json"
          TRIVY_OUTPUT="trivy-results.json"
        elif [ "${{ inputs.output-mode }}" = "log" ]; then
          TRIVY_FORMAT="table"
        fi
        if [ "${{ github.event_name }}" = "pull_request" -a "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
          TRIVY_FORMAT="table"
          TRIVY_OUTPUT=""
        fi
        echo "TRIVY_FORMAT=$TRIVY_FORMAT" >> $GITHUB_OUTPUT
        echo "TRIVY_OUTPUT=$TRIVY_OUTPUT" >> $GITHUB_OUTPUT

    - name: Default ignore file if not exist
      if: ${{ inputs.trivyignores == '.trivyignore' }}  # If a non-default ignore is passed, then we can assume it exists
      shell: bash
      run: |
        touch .trivyignore

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
      with:
        scan-type: 'fs'
        scan-ref: ${{ inputs.scan-ref }}
        vuln-type: ${{ inputs.vuln-type }}
        scanners: 'vuln'
        trivyignores: ${{ inputs.trivyignores }}
        format: ${{ steps.output.outputs.TRIVY_FORMAT }}
        output: ${{ steps.output.outputs.TRIVY_OUTPUT }}
        severity: ${{ inputs.severity }}
        ignore-unfixed: ${{ inputs.ignore-unfixed }}
        timeout: ${{ inputs.timeout }}
        skip-dirs: ${{ inputs.skip-dirs }}
        skip-files: ${{ inputs.skip-files }}
        exit-code: '1'
        version: v0.69.3

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: ${{ (success() || failure()) && inputs.output-mode == 'github' && inputs.category == '' }}
      with:
        sarif_file: ${{ steps.output.outputs.TRIVY_OUTPUT }}

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: ${{ (success() || failure()) && inputs.output-mode == 'github' && inputs.category != '' }}
      with:
        sarif_file: ${{ steps.output.outputs.TRIVY_OUTPUT }}
        category: ${{ inputs.category }}