Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: bump setup-trivy and add new contrib directory path info #424

Merged
merged 8 commits into from
Oct 25, 2024
Merged
65 changes: 63 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
* [Cache](#cache)
* [Trivy Setup](#trivy-setup)
* [Scanning a Tarball](#scanning-a-tarball)
* [Using Trivy with templates](#using-trivy-with-templates)
* [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
* [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
* [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)
Expand Down Expand Up @@ -323,6 +324,64 @@ jobs:
severity: 'CRITICAL,HIGH'
```

### Using Trivy with templates
The action supports [Trivy templates][trivy-templates].

Use `template` input to specify path (remember to prefix the path with `@`) to template file.

```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: "fs"
scan-ref: .
format: 'template'
template: "@path/to/my_template.tpl"
```

#### Default templates
Trivy has [default templates][trivy-default-templates].

By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory.

```yaml
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: "fs"
scan-ref: .
format: 'template'
template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl"
```

### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
Expand Down Expand Up @@ -771,7 +830,7 @@ Following inputs can be used as `step.with` keys:
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin//contrib/junit.tpl`) |
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
Expand All @@ -791,7 +850,7 @@ Following inputs can be used as `step.with` keys:
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
| `version` | String | `v0.56.2` | Trivy version to use, e.g. `latest` or `v0.56.2` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |

Expand All @@ -809,3 +868,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template
[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates
Loading