From df65449f48b89ca7da6699b2d7620f4eaac2355b Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 9 Dec 2025 06:02:57 +0600 Subject: [PATCH] chore: update README (#493) Signed-off-by: Nikita Pivkin --- README.md | 108 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 76 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index c7cbbd9..58814df 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ jobs: - name: Build an image from Dockerfile run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'table' @@ -78,7 +78,7 @@ jobs: uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' scan-ref: '.' @@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme ```yaml - name: Run Trivy scanner without cache - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' scan-ref: '.' @@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T ```yaml - name: Run Trivy scanner without downloading DBs - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'image' scan-ref: 'myimage' @@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action. To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input: ```yaml - name: Run Trivy scanner without cache - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' scan-ref: '.' @@ -318,7 +318,7 @@ jobs: docker save -o vuln-image.tar - name: Run Trivy vulnerability scanner in tarball mode - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: input: /github/workspace/vuln-image.tar severity: 'CRITICAL,HIGH' @@ -345,7 +345,7 @@ jobs: uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: "fs" scan-ref: . @@ -374,7 +374,7 @@ jobs: uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: "fs" scan-ref: . @@ -395,6 +395,9 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 @@ -404,14 +407,14 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` @@ -430,6 +433,9 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 @@ -439,14 +445,14 @@ jobs: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: 'trivy-results.sarif' @@ -455,7 +461,7 @@ jobs: See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always ### Using Trivy to scan your Git repo -It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. +It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR. If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml @@ -469,12 +475,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' ignore-unfixed: true @@ -483,13 +492,13 @@ jobs: severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` ### Using Trivy to scan your rootfs directories -It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. +It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR. If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml @@ -503,12 +512,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner with rootfs command - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'rootfs' scan-ref: 'rootfs-example-binary' @@ -518,13 +530,15 @@ jobs: severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` ### Using Trivy to scan Infrastructure as Code -It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. +It's also possible to scan your IaC repos with Trivy's built-in repo scan. +This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. +This helps you identify potential vulnerabilities that might get introduced with each PR. If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml @@ -538,12 +552,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'config' hide-progress: true @@ -553,11 +570,26 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + if: always() + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` +**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them. +This can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys: + +```yaml +- name: Configure Git for private modules + run: | + git config --global url."https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/".insteadOf "https://github.com/" + env: + GITHUB_USER: ${{ github.actor }} + PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }} +``` +This ensures Trivy can download private modules. + + ### Using Trivy to generate SBOM It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). @@ -585,7 +617,7 @@ jobs: uses: actions/checkout@v4 - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' format: 'github' @@ -615,7 +647,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Scan image in a private registry - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "private_image_registry/image_name:image_tag" scan-type: image @@ -653,12 +685,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF results to the GitHub Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -668,7 +703,7 @@ jobs: TRIVY_PASSWORD: Password - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` @@ -689,12 +724,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}' format: 'sarif' @@ -705,7 +743,7 @@ jobs: AWS_DEFAULT_REGION: us-west-2 - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` @@ -725,12 +763,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -739,7 +780,7 @@ jobs: GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` @@ -758,12 +799,15 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: read # Required to checkout and read repo files + security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -773,7 +817,7 @@ jobs: TRIVY_PASSWORD: Password - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' ``` @@ -786,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced ```yaml - name: Run Trivy scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: config hide-progress: true