aquasecurity/trivy-action
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy-action.git synced 2026-05-14 03:02:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(test): add zizmor security linter for GitHub Actions (#502)

Browse Source 
* ci: add zizmor security linter for GitHub Actions

* ci: disable advanced-security for zizmor

* ci: pin all actions to commit hashes

* ci: fix zizmor linter errors in workflows

- Add explicit permissions blocks to all workflows
- Set persist-credentials: false for checkout actions
- Fix template injection by using env variables in run blocks

* fix: address zizmor template injection warnings in action.yaml

- Move inputs to env block to prevent template injection
- Add ignore comment for github-env false positive

* ci: fix remaining zizmor linter errors

- Add permissions and persist-credentials to test.yaml
- Fix ignore comment placement for github-env in action.yaml
This commit is contained in:
DmitriyLewen
2026-02-21 04:24:24 +06:00
committed by GitHub
parent c1824fd6ed
commit e368e32897
6 changed files with 104 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/bump-trivy.yaml
+15 -6
View File
@@ -13,8 +13,12 @@ run-name: Bump trivy to v${{ inputs.trivy_version }}
jobs: jobs:
bump: bump:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Update Trivy versions - name: Update Trivy versions
env: env:
@@ -23,11 +27,13 @@ jobs:
- name: Setup Bats and bats libs - name: Setup Bats and bats libs
id: setup-bats id: setup-bats
uses: bats-core/bats-action@3.0.1 uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
- name: Install Trivy - name: Install Trivy
env:
TRIVY_VERSION: ${{ inputs.trivy_version }}
run: | run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ inputs.trivy_version }} curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
trivy --version trivy --version
- name: Update golden files - name: Update golden files
@@ -42,7 +48,7 @@ jobs:
- name: Create PR - name: Create PR
id: create-pr id: create-pr
uses: peter-evans/create-pull-request@v5 uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5
with: with:
token: ${{ secrets.ORG_REPO_TOKEN }} token: ${{ secrets.ORG_REPO_TOKEN }}
title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}" title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
@@ -54,6 +60,9 @@ jobs:
delete-branch: true delete-branch: true
- name: Check outputs - name: Check outputs
env:
PR_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
run: | run: |
echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}" echo "Pull Request Number - ${PR_NUMBER}"
echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}" echo "Pull Request URL - ${PR_URL}"
.github/workflows/sync-trivy-checks.yaml
+9 -4
View File
@@ -9,14 +9,19 @@ env:
jobs: jobs:
sync-trivy-checks: sync-trivy-checks:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: setup-oras - name: setup-oras
uses: oras-project/setup-oras@v1.2.3 uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
- name: Login to GitHub Packages Container registry - name: Login to GitHub Packages Container registry
uses: docker/login-action@v3 uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ github.actor }} username: ${{ github.actor }}
@@ -24,4 +29,4 @@ jobs:
- name: Copy Trivy Checks - name: Copy Trivy Checks
run: | run: |
oras cp ghcr.io/aquasecurity/trivy-checks:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest oras cp ghcr.io/aquasecurity/trivy-checks:2 "${REGISTRY}/${IMAGE_NAME}:latest"
.github/workflows/sync-trivy-db.yaml
+9 -4
View File
@@ -9,14 +9,19 @@ env:
jobs: jobs:
sync-trivy-db: sync-trivy-db:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: setup-oras - name: setup-oras
uses: oras-project/setup-oras@v1.2.3 uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
- name: Login to GitHub Packages Container registry - name: Login to GitHub Packages Container registry
uses: docker/login-action@v3 uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ github.actor }} username: ${{ github.actor }}
@@ -24,4 +29,4 @@ jobs:
- name: Copy Trivy DB - name: Copy Trivy DB
run: | run: |
oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest oras cp ghcr.io/aquasecurity/trivy-db:2 "${REGISTRY}/${IMAGE_NAME}:latest"
.github/workflows/sync-trivy-java-db.yaml
+9 -4
View File
@@ -9,14 +9,19 @@ env:
jobs: jobs:
sync-trivy-db: sync-trivy-db:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: setup-oras - name: setup-oras
uses: oras-project/setup-oras@v1.2.3 uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
- name: Login to GitHub Packages Container registry - name: Login to GitHub Packages Container registry
uses: docker/login-action@v3 uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ github.actor }} username: ${{ github.actor }}
@@ -24,4 +29,4 @@ jobs:
- name: Copy Trivy Java DB - name: Copy Trivy Java DB
run: | run: |
oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest oras cp ghcr.io/aquasecurity/trivy-java-db:1 "${REGISTRY}/${IMAGE_NAME}:latest"
.github/workflows/test.yaml
+20 -2
View File
@@ -10,14 +10,32 @@ env:
BATS_LIB_PATH: '/usr/lib/' BATS_LIB_PATH: '/usr/lib/'
jobs: jobs:
lint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
with:
advanced-security: false
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Setup Bats and bats libs - name: Setup Bats and bats libs
id: setup-bats id: setup-bats
uses: bats-core/bats-action@3.0.1 uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
- name: Install Trivy - name: Install Trivy
run: | run: |
action.yaml
+42 -23
View File
@@ -146,7 +146,7 @@ runs:
restore-keys: cache-trivy- restore-keys: cache-trivy-
- name: Set GitHub Path - name: Set GitHub Path
run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH # zizmor: ignore[github-env]
shell: bash shell: bash
env: env:
GITHUB_ACTION_PATH: ${{ github.action_path }} GITHUB_ACTION_PATH: ${{ github.action_path }}
@@ -161,6 +161,25 @@ runs:
- name: Set Trivy environment variables - name: Set Trivy environment variables
shell: bash shell: bash
env:
INPUT_INPUT: ${{ inputs.input }}
INPUT_EXIT_CODE: ${{ inputs.exit-code }}
INPUT_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
INPUT_VULN_TYPE: ${{ inputs.vuln-type }}
INPUT_SEVERITY: ${{ inputs.severity }}
INPUT_FORMAT: ${{ inputs.format }}
INPUT_TEMPLATE: ${{ inputs.template }}
INPUT_OUTPUT: ${{ inputs.output }}
INPUT_SKIP_DIRS: ${{ inputs.skip-dirs }}
INPUT_SKIP_FILES: ${{ inputs.skip-files }}
INPUT_TIMEOUT: ${{ inputs.timeout }}
INPUT_IGNORE_POLICY: ${{ inputs.ignore-policy }}
INPUT_HIDE_PROGRESS: ${{ inputs.hide-progress }}
INPUT_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
INPUT_SCANNERS: ${{ inputs.scanners }}
INPUT_TRIVY_CONFIG: ${{ inputs.trivy-config }}
INPUT_TF_VARS: ${{ inputs.tf-vars }}
INPUT_DOCKER_HOST: ${{ inputs.docker-host }}
run: | run: |
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions. # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
# This limitation affects how we handle default values and empty inputs. # This limitation affects how we handle default values and empty inputs.
@@ -175,41 +194,41 @@ runs:
# #
# As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input # As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input
# if the caller doesn't provide them, thus if the input matches the default we don't set it as we # if the caller doesn't provide them, thus if the input matches the default we don't set it as we
# can't tell the difference. Plus if we did set it when it was the default value then it could potentially # can't tell the difference. Plus if we did set it when it was the default value then it could potentially
# override an external environment variable, or something in the callers configuration file, which then wouldn't # override an external environment variable, or something in the callers configuration file, which then wouldn't
# match the configuration priority that is documented. # match the configuration priority that is documented.
set_env_var_if_provided() { set_env_var_if_provided() {
local var_name="$1" local var_name="$1"
local input_value="$2" local input_value="$2"
local default_value="$3" local default_value="$3"
if [ -n "$input_value" ] && [ "$input_value" != "$default_value" ]; then if [ -n "$input_value" ] && [ "$input_value" != "$default_value" ]; then
# If action was provided with explicit input by the caller set that # If action was provided with explicit input by the caller set that
# Use printf %q to safely escape special characters and prevent command injection # Use printf %q to safely escape special characters and prevent command injection
printf 'export %s=%q\n' "$var_name" "$input_value" >> trivy_envs.txt printf 'export %s=%q\n' "$var_name" "$input_value" >> trivy_envs.txt
fi fi
} }
# Set environment variables, handling those with default values # Set environment variables, handling those with default values
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" "" set_env_var_if_provided "TRIVY_INPUT" "$INPUT_INPUT" ""
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" "" set_env_var_if_provided "TRIVY_EXIT_CODE" "$INPUT_EXIT_CODE" ""
set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false" set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "$INPUT_IGNORE_UNFIXED" "false"
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library" set_env_var_if_provided "TRIVY_PKG_TYPES" "$INPUT_VULN_TYPE" "os,library"
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" set_env_var_if_provided "TRIVY_SEVERITY" "$INPUT_SEVERITY" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table" set_env_var_if_provided "TRIVY_FORMAT" "$INPUT_FORMAT" "table"
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" "" set_env_var_if_provided "TRIVY_TEMPLATE" "$INPUT_TEMPLATE" ""
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" "" set_env_var_if_provided "TRIVY_OUTPUT" "$INPUT_OUTPUT" ""
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" "" set_env_var_if_provided "TRIVY_SKIP_DIRS" "$INPUT_SKIP_DIRS" ""
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" "" set_env_var_if_provided "TRIVY_SKIP_FILES" "$INPUT_SKIP_FILES" ""
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" "" set_env_var_if_provided "TRIVY_TIMEOUT" "$INPUT_TIMEOUT" ""
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" "" set_env_var_if_provided "TRIVY_IGNORE_POLICY" "$INPUT_IGNORE_POLICY" ""
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" "" set_env_var_if_provided "TRIVY_QUIET" "$INPUT_HIDE_PROGRESS" ""
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false" set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "$INPUT_LIST_ALL_PKGS" "false"
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" "" set_env_var_if_provided "TRIVY_SCANNERS" "$INPUT_SCANNERS" ""
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" "" set_env_var_if_provided "TRIVY_CONFIG" "$INPUT_TRIVY_CONFIG" ""
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" "" set_env_var_if_provided "TRIVY_TF_VARS" "$INPUT_TF_VARS" ""
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" "" set_env_var_if_provided "TRIVY_DOCKER_HOST" "$INPUT_DOCKER_HOST" ""
- name: Run Trivy - name: Run Trivy
shell: bash shell: bash