aquasecurity/trivy-action
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy-action.git synced 2026-05-14 03:02:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: update README (#493)

Browse Source 
Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
2025-12-09 06:02:57 +06:00
committed by GitHub
parent 0317097f59
commit df65449f48
1 changed files with 76 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+76 -32
View File
@@ -50,7 +50,7 @@ jobs:
- name: Build an image from Dockerfile - name: Build an image from Dockerfile
run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} . run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table' format: 'table'
@@ -78,7 +78,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode - name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'fs' scan-type: 'fs'
scan-ref: '.' scan-ref: '.'
@@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme
```yaml ```yaml
- name: Run Trivy scanner without cache - name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'fs' scan-type: 'fs'
scan-ref: '.' scan-ref: '.'
@@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
```yaml ```yaml
- name: Run Trivy scanner without downloading DBs - name: Run Trivy scanner without downloading DBs
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'image' scan-type: 'image'
scan-ref: 'myimage' scan-ref: 'myimage'
@@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action.
To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input: To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
```yaml ```yaml
- name: Run Trivy scanner without cache - name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'fs' scan-type: 'fs'
scan-ref: '.' scan-ref: '.'
@@ -318,7 +318,7 @@ jobs:
docker save -o vuln-image.tar <your-docker-image> docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode - name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
input: /github/workspace/vuln-image.tar input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH' severity: 'CRITICAL,HIGH'
@@ -345,7 +345,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: "fs" scan-type: "fs"
scan-ref: . scan-ref: .
@@ -374,7 +374,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: "fs" scan-type: "fs"
scan-ref: . scan-ref: .
@@ -395,6 +395,9 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
@@ -404,14 +407,14 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} . docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
@@ -430,6 +433,9 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
@@ -439,14 +445,14 @@ jobs:
docker build -t docker.io/my-organization/my-app:${{ github.sha }} . docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
if: always() if: always()
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
@@ -455,7 +461,7 @@ jobs:
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
### Using Trivy to scan your Git repo ### Using Trivy to scan your Git repo
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml ```yaml
@@ -469,12 +475,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode - name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'fs' scan-type: 'fs'
ignore-unfixed: true ignore-unfixed: true
@@ -483,13 +492,13 @@ jobs:
severity: 'CRITICAL' severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
### Using Trivy to scan your rootfs directories ### Using Trivy to scan your rootfs directories
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml ```yaml
@@ -503,12 +512,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner with rootfs command - name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'rootfs' scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary' scan-ref: 'rootfs-example-binary'
@@ -518,13 +530,15 @@ jobs:
severity: 'CRITICAL' severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
### Using Trivy to scan Infrastructure as Code ### Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR. It's also possible to scan your IaC repos with Trivy's built-in repo scan.
This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo.
This helps you identify potential vulnerabilities that might get introduced with each PR.
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml ```yaml
@@ -538,12 +552,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode - name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'config' scan-type: 'config'
hide-progress: true hide-progress: true
@@ -553,11 +570,26 @@ jobs:
severity: 'CRITICAL,HIGH' severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 if: always()
uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them.
This can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys:
```yaml
- name: Configure Git for private modules
run: |
git config --global url."https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/".insteadOf "https://github.com/"
env:
GITHUB_USER: ${{ github.actor }}
PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}
```
This ensures Trivy can download private modules.
### Using Trivy to generate SBOM ### Using Trivy to generate SBOM
It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
@@ -585,7 +617,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'fs' scan-type: 'fs'
format: 'github' format: 'github'
@@ -615,7 +647,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Scan image in a private registry - name: Scan image in a private registry
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: "private_image_registry/image_name:image_tag" image-ref: "private_image_registry/image_name:image_tag"
scan-type: image scan-type: image
@@ -653,12 +685,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF results to the GitHub Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif' format: 'sarif'
@@ -668,7 +703,7 @@ jobs:
TRIVY_PASSWORD: Password TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
@@ -689,12 +724,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}' image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif' format: 'sarif'
@@ -705,7 +743,7 @@ jobs:
AWS_DEFAULT_REGION: us-west-2 AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
@@ -725,12 +763,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif' format: 'sarif'
@@ -739,7 +780,7 @@ jobs:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
@@ -758,12 +799,15 @@ jobs:
build: build:
name: Build name: Build
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read # Required to checkout and read repo files
security-events: write # Required to upload SARIF files to Security tab
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif' format: 'sarif'
@@ -773,7 +817,7 @@ jobs:
TRIVY_PASSWORD: Password TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v4
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
``` ```
@@ -786,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced
```yaml ```yaml
- name: Run Trivy scanner - name: Run Trivy scanner
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: config scan-type: config
hide-progress: true hide-progress: true