-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add token for setup-trivy
#421
Merged
simar7
merged 5 commits into
aquasecurity:master
from
DmitriyLewen:feat/token-setup-trivy
Oct 25, 2024
Merged
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
0afdd84
feat: add `token-setup-trivy` input.
DmitriyLewen 6f34622
docs: add info about `token-setup-trivy`
DmitriyLewen b24edfa
fix: use correct commit
DmitriyLewen e9e31ed
refactor: use `default: ${{ github.token }}` for `token-setup-trivy`
DmitriyLewen 9960a61
refactor: use `setup-trivy` v0.2.2
DmitriyLewen File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -279,6 +279,22 @@ jobs: | |
skip-setup-trivy: true | ||
``` | ||
|
||
#### Use non-default token to install Trivy | ||
GitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server. | ||
Therefore, you can't install `Trivy` using the `setup-trivy` action. | ||
|
||
To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input: | ||
```yaml | ||
- name: Run Trivy scanner without cache | ||
uses: aquasecurity/[email protected] | ||
with: | ||
scan-type: 'fs' | ||
scan-ref: '.' | ||
token-setup-trivy: ${{ secrets.GITHUB_PAT }} | ||
``` | ||
|
||
GitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases. | ||
|
||
### Scanning a Tarball | ||
```yaml | ||
name: build | ||
|
@@ -754,7 +770,7 @@ Following inputs can be used as `step.with` keys: | |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` | | ||
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | | ||
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | ||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | | ||
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | | ||
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | | ||
| `tf-vars` | String | | path to Terraform variables file | | ||
| `output` | String | | Save results to a file | | ||
|
@@ -769,14 +785,15 @@ Following inputs can be used as `step.with` keys: | |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | | ||
| `hide-progress` | String | `false` | Suppress progress bar and log output | | ||
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability | | ||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) | | ||
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) | | ||
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | | ||
| `trivy-config` | String | | Path to trivy.yaml config | | ||
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | ||
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | ||
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | | ||
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` | | ||
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | ||
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | | ||
|
||
### Environment variables | ||
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note that we should bump this to the next release when the other PR gets merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. I used my fork to test the changes.
After
setup-trivy
is released - I will update this line.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in -9960a61