From 74f2f25de8f4975f0b3a449e024182108bf43f92 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 22 Oct 2024 13:57:38 +0600 Subject: [PATCH 1/7] chore(deps): use fork for setup-trivy --- action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index aad6fdd..dc828e1 100644 --- a/action.yaml +++ b/action.yaml @@ -113,7 +113,7 @@ runs: steps: - name: Install Trivy if: ${{ inputs.skip-setup-trivy == 'false' }} - uses: aquasecurity/setup-trivy@v0.2.1 + uses: DmitriyLewen/setup-trivy@1f28cef0d7f6c3d4bf343e019d2c7d705620b63e with: version: ${{ inputs.version }} cache: ${{ inputs.cache }} From a24d142e00161fb08df55aaf5a24ad9fc0c4310f Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 22 Oct 2024 15:02:39 +0600 Subject: [PATCH 2/7] docs: add info about templates --- README.md | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 64 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 128f95d..7500705 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ * [Cache](#cache) * [Trivy Setup](#trivy-setup) * [Scanning a Tarball](#scanning-a-tarball) + * [Using Trivy with default templates](#using-trivy-with-github-code-scanning) * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning) * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo) * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories) @@ -307,6 +308,64 @@ jobs: severity: 'CRITICAL,HIGH' ``` +### Using Trivy with templates +The action supports [Trivy templates][trivy-templates]. + +Use `template` input to specify path (remember to prefix the path with `@`) to template file. + +```yaml +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: . + format: 'template' + template: "@./path/to/my_template.tpl" +``` + +#### Default templates +Trivy has [default templates][trivy-default-templates]. + +By default, `setup-trivy` install them in `$HOME/.local/bin/trivy-bin/contrib` directory. + +```yaml +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: . + format: 'template' + template: "@./$HOME/.local/bin/trivy-bin/contrib/html.tpl" +``` + ### Using Trivy with GitHub Code Scanning If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml @@ -754,8 +813,8 @@ Following inputs can be used as `step.with` keys: | `input` | String | | Tar reference, e.g. `alpine-latest.tar` | | `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | -| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | -| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | +| `template` | String | | Output template (`@./$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@./$HOME/.local/bin/trivy-bin//contrib/junit.tpl`) | | `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | @@ -769,7 +828,7 @@ Following inputs can be used as `step.with` keys: | `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | | `hide-progress` | String | `false` | Suppress progress bar and log output | | `list-all-pkgs` | String | | Output all packages regardless of vulnerability | -| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) | +| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | | `trivy-config` | String | | Path to trivy.yaml config | | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | @@ -792,3 +851,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables [trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ +[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template +[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates From e00c0f190873e3081237776c144bfa96fae46d5c Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 24 Oct 2024 11:43:19 +0600 Subject: [PATCH 3/7] refactor: use `setup-trivy` v0.2.2 --- README.md | 2 +- action.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7500705..f609145 100644 --- a/README.md +++ b/README.md @@ -340,7 +340,7 @@ jobs: #### Default templates Trivy has [default templates][trivy-default-templates]. -By default, `setup-trivy` install them in `$HOME/.local/bin/trivy-bin/contrib` directory. +By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory. ```yaml name: build diff --git a/action.yaml b/action.yaml index dc828e1..060cbe2 100644 --- a/action.yaml +++ b/action.yaml @@ -113,7 +113,7 @@ runs: steps: - name: Install Trivy if: ${{ inputs.skip-setup-trivy == 'false' }} - uses: DmitriyLewen/setup-trivy@1f28cef0d7f6c3d4bf343e019d2c7d705620b63e + uses: aquasecurity/setup-trivy@v0.2.2 with: version: ${{ inputs.version }} cache: ${{ inputs.cache }} From 5db2d16b8382c28106414921787db698dd31f586 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 24 Oct 2024 12:00:16 +0600 Subject: [PATCH 4/7] docs: remove `./` prefix --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f609145..20c887e 100644 --- a/README.md +++ b/README.md @@ -334,7 +334,7 @@ jobs: scan-type: "fs" scan-ref: . format: 'template' - template: "@./path/to/my_template.tpl" + template: "@path/to/my_template.tpl" ``` #### Default templates @@ -363,7 +363,7 @@ jobs: scan-type: "fs" scan-ref: . format: 'template' - template: "@./$HOME/.local/bin/trivy-bin/contrib/html.tpl" + template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl" ``` ### Using Trivy with GitHub Code Scanning From 0994b129e14566faff8dc281478d87087d35acd3 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 25 Oct 2024 11:40:09 +0600 Subject: [PATCH 5/7] Merge branch 'main' into 'fix/contrib-dir' --- README.md | 21 +++++++++++++++++++-- action.yaml | 10 ++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 20c887e..9b7cfd9 100644 --- a/README.md +++ b/README.md @@ -280,6 +280,22 @@ jobs: skip-setup-trivy: true ``` +#### Use non-default token to install Trivy +GitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server. +Therefore, you can't install `Trivy` using the `setup-trivy` action. + +To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input: +```yaml + - name: Run Trivy scanner without cache + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + scan-ref: '.' + token-setup-trivy: ${{ secrets.GITHUB_PAT }} +``` + +GitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases. + ### Scanning a Tarball ```yaml name: build @@ -814,7 +830,7 @@ Following inputs can be used as `step.with` keys: | `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | -| `template` | String | | Output template (`@./$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@./$HOME/.local/bin/trivy-bin//contrib/junit.tpl`) | +| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin//contrib/junit.tpl`) | | `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | @@ -834,8 +850,9 @@ Following inputs can be used as `step.with` keys: | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | -| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` | +| `version` | String | `v0.56.2` | Trivy version to use, e.g. `latest` or `v0.56.2` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | +| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | ### Environment variables You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). diff --git a/action.yaml b/action.yaml index 060cbe2..b42ab4d 100644 --- a/action.yaml +++ b/action.yaml @@ -107,6 +107,15 @@ inputs: description: 'skip calling the setup-trivy action to install trivy' required: false default: 'false' + token-setup-trivy: + description: > + `token-setup-trivy` is required when `github.token` in invalid for `https://github.com` server. + See https://github.com/aquasecurity/setup-trivy/?tab=readme-ov-file#install-trivy-with-non-default-token for more details. + `token-setup-trivy` is only used to fetch the Trivy repository in `setup-trivy` + required: false + ## ${{ github.token }} is default value for actions/checkout + ## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24 + default: ${{ github.token }} runs: using: 'composite' @@ -117,6 +126,7 @@ runs: with: version: ${{ inputs.version }} cache: ${{ inputs.cache }} + token: ${{ inputs.token-setup-trivy }} - name: Get current date id: date From 08395307c420c48cca92ceb12cea2467b0cd7cc7 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 25 Oct 2024 11:43:50 +0600 Subject: [PATCH 6/7] docs: fix link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b7cfd9..2e3ff79 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ * [Cache](#cache) * [Trivy Setup](#trivy-setup) * [Scanning a Tarball](#scanning-a-tarball) - * [Using Trivy with default templates](#using-trivy-with-github-code-scanning) + * [Using Trivy with templates](#using-trivy-with-templates) * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning) * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo) * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories) From f17a808fdc025f3b10c30d38b7af8bb512b3e41d Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 25 Oct 2024 12:25:51 +0600 Subject: [PATCH 7/7] docs: fix typo Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e3ff79..5681401 100644 --- a/README.md +++ b/README.md @@ -830,7 +830,7 @@ Following inputs can be used as `step.with` keys: | `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | -| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin//contrib/junit.tpl`) | +| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) | | `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |