This action runs trivy with reviewdog on pull requests to enforce best practices.
By default, with reporter: github-pr-check
an annotation is added to
the line:
With reporter: github-pr-review
a comment is added to
the Pull Request Conversation:
Required. Must be in form of github_token: ${{ secrets.github_token }}
.
Required. Trivy command [aws
, config
, filesystem
, image
, kubernetes
, rootfs
, sbom
, vm
].
You can see this with trivy --help
Required. Target to scan. It's depends on the command. Please check Trivy Docs
Optional. Directory to run the action on, from the repo root.
The default is .
( root of the repository).
Optional. Report level for reviewdog [info
,warning
,error
].
It's same as -level
flag of reviewdog.
The default is error
.
Optional. Name of the tool being used. This controls how it will show up in the GitHub UI.
The default is trivy
.
Optional. Reporter of reviewdog command [github-pr-check
,github-pr-review
].
The default is github-pr-check
.
Optional. Filtering for the reviewdog command [added
,diff_context
,file
,nofilter
].
The default is added
.
See reviewdog documentation for filter mode for details.
Optional. Exit code for reviewdog when errors are found [true
,false
].
The default is false
.
See reviewdog documentation for exit codes for details.
Optional. Additional reviewdog flags. Useful for debugging errors, when it can be set to -tee
.
The default is ``.
Optional. The version of trivy to install.
The default is latest
.
Optional. List of arguments to send to trivy.
For the output to be parsable by reviewdog --format=checkstyle
is enforced.
The default is ``.
The trivy
command return code.
The reviewdog
command return code.
name: trivy
on: [pull_request]
jobs:
trivy:
name: runner / trivy
runs-on: ubuntu-latest # Windows and macOS are also supported
steps:
- name: Clone repo
uses: actions/checkout@v4
- name: Run trivy with reviewdog output on the PR
uses: reviewdog/action-trivy@v1
with:
github_token: ${{ secrets.github_token }}
trivy_command: config # Change trivy command
trivy_target: . # Change trivy target directory
working_directory: my_directory # Change working directory
level: info # Get more output from reviewdog
reporter: github-pr-review # Change reviewdog reporter
filter_mode: nofilter # Check all files, not just the diff
fail_on_error: true # Fail action if errors are found
flags: -tee # Add debug flag to reviewdog
trivy_flags: "" # Optional
You can bump version on merging Pull Requests with specific labels (bump:major,bump:minor,bump:patch). Pushing tag manually by yourself also work.
This action updates major/minor release tags on a tag push. e.g. Update v1 and v1.2 tag when released v1.2.3. ref: https://help.github.com/en/articles/about-actions#versioning-your-action
This reviewdog action template itself is integrated with reviewdog to run lints which is useful for Docker container based actions.
Supported linters:
This repository uses haya14busa/action-depup to update reviewdog version.