diff --git a/README.md b/README.md index 16a07f5..5681401 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ * [Cache](#cache) * [Trivy Setup](#trivy-setup) * [Scanning a Tarball](#scanning-a-tarball) + * [Using Trivy with templates](#using-trivy-with-templates) * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning) * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo) * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories) @@ -323,6 +324,64 @@ jobs: severity: 'CRITICAL,HIGH' ``` +### Using Trivy with templates +The action supports [Trivy templates][trivy-templates]. + +Use `template` input to specify path (remember to prefix the path with `@`) to template file. + +```yaml +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: . + format: 'template' + template: "@path/to/my_template.tpl" +``` + +#### Default templates +Trivy has [default templates][trivy-default-templates]. + +By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory. + +```yaml +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: . + format: 'template' + template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl" +``` + ### Using Trivy with GitHub Code Scanning If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml @@ -771,7 +830,7 @@ Following inputs can be used as `step.with` keys: | `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | -| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) | | `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | @@ -791,7 +850,7 @@ Following inputs can be used as `step.with` keys: | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | -| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` | +| `version` | String | `v0.56.2` | Trivy version to use, e.g. `latest` or `v0.56.2` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | @@ -809,3 +868,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables [trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ +[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template +[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates