-
Notifications
You must be signed in to change notification settings - Fork 242
/
action.yaml
204 lines (193 loc) · 7.89 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
name: 'Aqua Security Trivy'
description: 'Scans container images for vulnerabilities with Trivy'
author: 'Aqua Security'
inputs:
scan-type:
description: 'Scan type to use for scanning vulnerability'
required: false
default: 'image'
image-ref:
description: 'image reference(for backward compatibility)'
required: false
input:
description: 'reference of tar file to scan'
required: false
default: ''
scan-ref:
description: 'Scan reference'
required: false
default: '.'
exit-code:
description: 'exit code when vulnerabilities were found'
required: false
ignore-unfixed:
description: 'ignore unfixed vulnerabilities'
required: false
default: 'false'
vuln-type: # TODO: rename to pkg-types
description: 'comma-separated list of vulnerability types (os,library)'
required: false
default: 'os,library'
severity:
description: 'severities of vulnerabilities to be displayed'
required: false
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
format:
description: 'output format (table, json, template)'
required: false
default: 'table'
template:
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
required: false
default: ''
output:
description: 'writes results to a file with the specified file name'
required: false
default: ''
skip-dirs:
description: 'comma separated list of directories where traversal is skipped'
required: false
default: ''
skip-files:
description: 'comma separated list of files to be skipped'
required: false
default: ''
cache-dir:
description: 'specify where the cache is stored'
required: false
default: '${{ github.workspace }}/.cache/trivy'
timeout:
description: 'timeout (default 5m0s)'
required: false
default: ''
ignore-policy:
description: 'filter vulnerabilities with OPA rego language'
required: false
default: ''
hide-progress:
description: 'suppress progress bar and log output'
required: false
list-all-pkgs:
description: 'output all packages regardless of vulnerability'
required: false
default: 'false'
scanners:
description: 'comma-separated list of what security issues to detect'
required: false
default: ''
trivyignores:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false
tf-vars:
description: "path to terraform tfvars file"
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
docker-host:
description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock'
required: false
version:
description: 'Trivy version to use'
required: false
default: 'v0.57.1'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'true'
skip-setup-trivy:
description: 'skip calling the setup-trivy action to install trivy'
required: false
default: 'false'
token-setup-trivy:
description: >
`token-setup-trivy` is required when `github.token` in invalid for `https://github.com` server.
See https://github.com/aquasecurity/setup-trivy/?tab=readme-ov-file#install-trivy-with-non-default-token for more details.
`token-setup-trivy` is only used to fetch the Trivy repository in `setup-trivy`
required: false
## ${{ github.token }} is default value for actions/checkout
## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24
default: ${{ github.token }}
runs:
using: 'composite'
steps:
- name: Install Trivy
if: ${{ inputs.skip-setup-trivy == 'false' }}
uses: aquasecurity/[email protected]
with:
version: ${{ inputs.version }}
cache: ${{ inputs.cache }}
token: ${{ inputs.token-setup-trivy }}
- name: Get current date
id: date
shell: bash
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Restore DB from cache
if: ${{ inputs.cache == 'true' }}
uses: actions/cache@v4
with:
path: ${{ inputs.cache-dir }}
key: cache-trivy-${{ steps.date.outputs.date }}
restore-keys: cache-trivy-
- name: Set GitHub Path
run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
shell: bash
env:
GITHUB_ACTION_PATH: ${{ github.action_path }}
- name: Set Trivy environment variables
shell: bash
run: |
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
# This limitation affects how we handle default values and empty inputs.
# For more information, see: https://github.com/actions/runner/issues/924
# Function to set environment variable only if the input is provided and different from default
set_env_var_if_provided() {
local var_name="$1"
local input_value="$2"
local default_value="$3"
if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
echo "$var_name=$input_value" >> $GITHUB_ENV
fi
}
# Set environment variables, handling those with default values
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
- name: Run Trivy
shell: bash
run: entrypoint.sh
env:
# For shell script
# > If the action is written using a composite, then it will not automatically get INPUT_<VARIABLE_NAME>
# cf. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
INPUT_SCAN_TYPE: ${{ inputs.scan-type }}
INPUT_IMAGE_REF: ${{ inputs.image-ref }}
INPUT_SCAN_REF: ${{ inputs.scan-ref }}
INPUT_TRIVYIGNORES: ${{ inputs.trivyignores }}
INPUT_GITHUB_PAT: ${{ inputs.github-pat }}
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
# For Trivy
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set