Skip to content

Commit

Permalink
feat: Allow skipping setup
Browse files Browse the repository at this point in the history
If a user is invoking the action multiple times then the trivy binary
gets installed multiple times.  Users can avoid this by managing the
installation themselves and setting the skip-setup input to true, or by
letting the action install in on their first invocation and then setting
skip-setup to true on subsequent invocations
  • Loading branch information
rvesse committed Oct 15, 2024
1 parent 5681af8 commit 323bf39
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 0 deletions.
93 changes: 93 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
* [Scan CI Pipeline](#scan-ci-pipeline)
* [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
* [Cache](#cache)
* [Trivy Setup](#trivy-setup)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
Expand Down Expand Up @@ -184,6 +185,97 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
TRIVY_SKIP_JAVA_DB_UPDATE: true
```

### Trivy Setup
By default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step
which installs the the `trivy` version specified by the `version` input. If you have already installed `trivy` by other
means, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the
`skip-setup-trivy` input to disabled this step.

#### Setting up Trivy Manually
```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Manual Trivy Setup
uses: aquasecurity/[email protected]
with:
cache: true
version: v0.56.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
skip-setup-trivy: true
```

#### Skipping Setup when Calling Trivy Action multiple times
Another common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to
`true` on subsequent invocations e.g.

```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out Git repository
uses: actions/checkout@v4
# The first call to the action will invoke setup-trivy and install trivy
- name: Generate Trivy Vulnerability Report
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
output: trivy-report.json
format: json
scan-ref: .
exit-code: 0
- name: Upload Vulnerability Scan Results
uses: actions/upload-artifact@v4
with:
name: trivy-report
path: trivy-report.json
retention-days: 30
- name: Fail build on High/Criticial Vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: table
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
```

### Scanning a Tarball
```yaml
name: build
Expand Down Expand Up @@ -681,6 +773,7 @@ Following inputs can be used as `step.with` keys:
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
| `skip-setup-trivy` | Boolean | false | Whether to skip installing the `trivy` binary, if you are installing it via your own means, or are calling this action multiple times in a workflow then you may wish to set this to true on subsequent calls. |

### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
Expand Down
5 changes: 5 additions & 0 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -103,11 +103,16 @@ inputs:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'true'
skip-setup-trivy:
description: 'skip calling the setup-trivy action to install trivy'
required: false
default: 'false'

runs:
using: 'composite'
steps:
- name: Install Trivy
if: ${{ inputs.skip-setup-trivy == 'false' }}
uses: aquasecurity/[email protected]
with:
version: ${{ inputs.version }}
Expand Down

0 comments on commit 323bf39

Please sign in to comment.