Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add token for setup-trivy #421

Merged
merged 5 commits into from
Oct 25, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,22 @@ jobs:
skip-setup-trivy: true
```

#### Use non-default token to install Trivy
GitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server.
Therefore, you can't install `Trivy` using the `setup-trivy` action.

To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
token-setup-trivy: ${{ secrets.GITHUB_PAT }}
```

GitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases.

### Scanning a Tarball
```yaml
name: build
Expand Down Expand Up @@ -754,7 +770,7 @@ Following inputs can be used as `step.with` keys:
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
Expand All @@ -769,14 +785,15 @@ Following inputs can be used as `step.with` keys:
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |

### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
Expand Down
9 changes: 8 additions & 1 deletion action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -107,16 +107,23 @@ inputs:
description: 'skip calling the setup-trivy action to install trivy'
required: false
default: 'false'
token-setup-trivy:
description: >
`token-setup-trivy` is required when `github.token` in invalid for `https://github.com` server.
See https://github.com/aquasecurity/setup-trivy/?tab=readme-ov-file#install-trivy-with-non-default-token for more details.
required: false
default: ''

runs:
using: 'composite'
steps:
- name: Install Trivy
if: ${{ inputs.skip-setup-trivy == 'false' }}
uses: aquasecurity/setup-trivy@v0.2.1
uses: DmitriyLewen/setup-trivy@2df9f605c29dbee29f7c66a8151e3b97f0874f5d
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a note that we should bump this to the next release when the other PR gets merged.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. I used my fork to test the changes.
After setup-trivy is released - I will update this line.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in -9960a61

with:
version: ${{ inputs.version }}
cache: ${{ inputs.cache }}
token: ${{ inputs.token-setup-trivy }}

- name: Get current date
id: date
Expand Down
Loading