chore: update action version to v0.36.0 in examples (#563)

Co-authored-by: GitHub Actions <actions@github.com>

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/bump-trivy.yaml

@@ -12,9 +12,13 @@ run-name: Bump trivy to v${{ inputs.trivy_version }}
 
 jobs:
   bump:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-2404-2core
+    permissions:
+      contents: read # for actions/checkout
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Update Trivy versions
         env:
@@ -23,12 +27,10 @@ jobs:
 
       - name: Setup Bats and bats libs
         id: setup-bats
-        uses: bats-core/bats-action@3.0.1
+        uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
 
       - name: Install Trivy
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ inputs.trivy_version }}
-          trivy --version
+        run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
 
       - name: Update golden files
         env:
@@ -41,19 +43,25 @@ jobs:
         run: make test
 
       - name: Create PR
-        id: create-pr
-        uses: peter-evans/create-pull-request@v5
-        with:
-          token: ${{ secrets.ORG_REPO_TOKEN }}
-          title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
-          commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
-          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
-          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-          branch-suffix: timestamp
-          branch: bump-trivy
-          delete-branch: true
-
-      - name: Check outputs
+        env:
+          GH_TOKEN: ${{ secrets.TRIVY_ACTION_DEPLOY_TOKEN }}
+          TRIVY_VERSION: ${{ inputs.trivy_version }}
+          REPO: ${{ github.repository }}
+          BASE_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
-          echo "Pull Request Number - ${{ steps.create-pr.outputs.pull-request-number }}"
-          echo "Pull Request URL - ${{ steps.create-pr.outputs.pull-request-url }}"
+          gh auth setup-git
+          git config user.name "GitHub Actions"
+          git config user.email "actions@github.com"
+          BRANCH="bump-trivy-${TRIVY_VERSION}"
+          git checkout -b "${BRANCH}"
+          git add action.yaml README.md test/
+          git commit -m "chore(deps): Update trivy to v${TRIVY_VERSION}"
+          git push origin "${BRANCH}"
+          PR_RESPONSE=$(gh api repos/${REPO}/pulls \
+            --method POST \
+            --field title="chore(deps): Update trivy to v${TRIVY_VERSION}" \
+            --field body="This PR was automatically generated by the bump-trivy workflow." \
+            --field base="${BASE_BRANCH}" \
+            --field head="${BRANCH}")
+          echo "Pull Request Number - $(echo "${PR_RESPONSE}" | jq -r '.number')"
+          echo "Pull Request URL - $(echo "${PR_RESPONSE}" | jq -r '.html_url')"

.github/workflows/sync-trivy-checks.yaml

@@ -1,27 +0,0 @@
-name: Sync Trivy Checks
-
-on:
-  workflow_dispatch:
-env:
-  IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act
-  REGISTRY: ghcr.io
-
-jobs:
-  sync-trivy-checks:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: setup-oras
-        uses: oras-project/setup-oras@v1.2.3
-
-      - name: Login to GitHub Packages Container registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy Trivy Checks
-        run: |
-          oras cp ghcr.io/aquasecurity/trivy-checks:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

.github/workflows/sync-trivy-db.yaml

@@ -1,27 +0,0 @@
-name: Sync Trivy DB
-
-on:
-  workflow_dispatch:
-env:
-  IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act
-  REGISTRY: ghcr.io
-
-jobs:
-  sync-trivy-db:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: setup-oras
-        uses: oras-project/setup-oras@v1.2.3
-
-      - name: Login to GitHub Packages Container registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy Trivy DB
-        run: |
-          oras cp ghcr.io/aquasecurity/trivy-db:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

.github/workflows/sync-trivy-java-db.yaml

@@ -1,27 +0,0 @@
-name: Sync Trivy Java DB
-
-on:
-  workflow_dispatch:
-env:
-  IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act
-  REGISTRY: ghcr.io
-
-jobs:
-  sync-trivy-db:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: setup-oras
-        uses: oras-project/setup-oras@v1.2.3
-
-      - name: Login to GitHub Packages Container registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy Trivy Java DB
-        run: |
-          oras cp ghcr.io/aquasecurity/trivy-java-db:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

.github/workflows/test.yaml

@@ -6,23 +6,38 @@ on:
   workflow_dispatch:
 
 env:
-  TRIVY_VERSION: 0.69.1
   BATS_LIB_PATH: '/usr/lib/'
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Bats and bats libs
         id: setup-bats
-        uses: bats-core/bats-action@3.0.1
+        uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
 
       - name: Install Trivy
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
-          trivy --version
+        run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
 
       - name: Test
         env:

.gitignore

@@ -4,4 +4,7 @@
 trivyignores
 .vscode/
 
-.cache
+.cache
+
+# Local tools
+.bin/

Makefile

@@ -8,30 +8,66 @@ else
   BATS_LIB_PATH ?= /usr/local/lib/
 endif
 
+LOCAL_BIN := $(CURDIR)/.bin
+TRIVY_INSTALL_DIR ?= $(LOCAL_BIN)
+LOCAL_TRIVY := $(TRIVY_INSTALL_DIR)/trivy
+
+ifeq ($(shell [ -f $(LOCAL_TRIVY) ] && [ -z "$(CI)" ] && echo yes),yes)
+TRIVY_CMD := $(LOCAL_TRIVY)
+else
+TRIVY_CMD ?= trivy
+endif
+
+CACHE_DIR := '.cache'
+
+ACTION_FILE := action.yaml
+
+CURRENT_TRIVY_VERSION := $(shell yq '.inputs.version.default' $(ACTION_FILE) 2>/dev/null | tr -d 'v')
+
 BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
-	GITHUB_REPOSITORY_OWNER=aquasecurity \
-	TRIVY_CACHE_DIR=.cache \
-	TRIVY_DISABLE_VEX_NOTICE=true \
+	TRIVY_CACHE_DIR=$(CACHE_DIR) \
 	TRIVY_DEBUG=true
 
-BATS_FLAGS := --recursive --timing --verbose-run .
+BATS_FLAGS := --timing --verbose-run test/test.bats
 
 .PHONY: test
-test: init-cache
-	$(BATS_ENV) bats $(BATS_FLAGS)
+test:
+	TRIVY_CMD=$(TRIVY_CMD) $(BATS_ENV) bats $(BATS_FLAGS)
 
 .PHONY: update-golden
-update-golden: init-cache
-	UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
+update-golden:
+	UPDATE_GOLDEN=1 TRIVY_CMD=$(TRIVY_CMD) $(BATS_ENV) bats $(BATS_FLAGS)
 
-.PHONY: init-cache
-init-cache:
-	mkdir -p .cache
-	rm -f .cache/fanal/fanal.db
+.PHONY: clean-cache
+clean-cache:
+	$(TRIVY_CMD) clean --scan-cache --cache-dir $(CACHE_DIR)
 
-bump-trivy:
+.PHONY: check-yq
+check-yq:
+	@command -v yq >/dev/null 2>&1 || (echo "yq is required but not installed. Install it from https://github.com/mikefarah/yq"; exit 1)
+
+bump-trivy: check-yq
 	@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
-	@CURRENT_VERSION=$$(grep "TRIVY_VERSION:" .github/workflows/test.yaml | awk '{print $$2}');\
-	echo Current version: $$CURRENT_VERSION ;\
+	@echo Current version: $(CURRENT_TRIVY_VERSION) ;\
 	echo New version: $$NEW_VERSION ;\
-	$(SED) -i -e "s/$$CURRENT_VERSION/$$NEW_VERSION/g" README.md action.yaml .github/workflows/test.yaml ;\
+	$(SED) -i -e "s/$(CURRENT_TRIVY_VERSION)/$$NEW_VERSION/g" \
+		README.md $(ACTION_FILE)
+
+.PHONY: ensure-trivy
+ensure-trivy: check-yq
+	@set -e; \
+	mkdir -p $(TRIVY_INSTALL_DIR); \
+	if [ -x $(LOCAL_TRIVY) ]; then \
+		CURRENT_VERSION="$$( $(LOCAL_TRIVY) version -f json | jq -r '.Version' )"; \
+	else \
+		CURRENT_VERSION=none; \
+	fi; \
+	echo "Required: $(CURRENT_TRIVY_VERSION)"; \
+	echo "Current:  $$CURRENT_VERSION"; \
+	if [ "$$CURRENT_VERSION" != "$(CURRENT_TRIVY_VERSION)" ]; then \
+		echo "Installing Trivy $(CURRENT_TRIVY_VERSION) locally..."; \
+		curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
+		sh -s -- -b $(TRIVY_INSTALL_DIR) v$(CURRENT_TRIVY_VERSION); \
+	else \
+		echo "Trivy $(CURRENT_TRIVY_VERSION) already present."; \
+	fi

README.md

@@ -50,7 +50,7 @@ jobs:
       - name: Build an image from Dockerfile
         run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
           format: 'table'
@@ -78,7 +78,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@0.33.1
+      uses: aquasecurity/trivy-action@v0.36.0
       with:
         scan-type: 'fs'
         scan-ref: '.'
@@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme
 
 ```yaml
     - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@0.33.1
+      uses: aquasecurity/trivy-action@v0.36.0
       with:
         scan-type: 'fs'
         scan-ref: '.'
@@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
 
 ```yaml
     - name: Run Trivy scanner without downloading DBs
-      uses: aquasecurity/trivy-action@0.33.1
+      uses: aquasecurity/trivy-action@v0.36.0
       with:
         scan-type: 'image'
         scan-ref: 'myimage'
@@ -215,7 +215,7 @@ jobs:
       uses: aquasecurity/setup-trivy@v0.2.0
       with:
         cache: true
-        version: v0.69.1
+        version: v0.70.0
 
     - name: Run Trivy vulnerability scanner in repo mode
       uses: aquasecurity/trivy-action@master
@@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action.
 To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
 ```yaml
     - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@0.33.1
+      uses: aquasecurity/trivy-action@v0.36.0
       with:
         scan-type: 'fs'
         scan-ref: '.'
@@ -318,7 +318,7 @@ jobs:
         docker save -o vuln-image.tar <your-docker-image>
 
     - name: Run Trivy vulnerability scanner in tarball mode
-      uses: aquasecurity/trivy-action@0.33.1
+      uses: aquasecurity/trivy-action@v0.36.0
       with:
         input: /github/workspace/vuln-image.tar
         severity: 'CRITICAL,HIGH'
@@ -345,7 +345,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: "fs"
           scan-ref: .
@@ -374,7 +374,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: "fs"
           scan-ref: .
@@ -407,7 +407,7 @@ jobs:
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
           format: 'sarif'
@@ -445,7 +445,7 @@ jobs:
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
           format: 'sarif'
@@ -483,7 +483,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -520,7 +520,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner with rootfs command
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: 'rootfs'
           scan-ref: 'rootfs-example-binary'
@@ -560,7 +560,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: 'config'
           hide-progress: true
@@ -617,7 +617,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: 'fs'
           format: 'github'
@@ -647,7 +647,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Scan image in a private registry
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: "private_image_registry/image_name:image_tag"
           scan-type: image
@@ -693,7 +693,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
           format: 'sarif'
@@ -732,7 +732,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
           format: 'sarif'
@@ -751,7 +751,7 @@ jobs:
 #### GCR (Google Container Registry)
 Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 
-If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
+If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```yaml
 name: build
 on:
@@ -771,13 +771,13 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
           format: 'sarif'
           output: 'trivy-results.sarif'
         env:
-          GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
+          GOOGLE_APPLICATION_CREDENTIALS: /path/to/credential.json
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
@@ -807,7 +807,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
           format: 'sarif'
@@ -830,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced
 
 ```yaml
 - name: Run Trivy scanner
-  uses: aquasecurity/trivy-action@0.33.1
+  uses: aquasecurity/trivy-action@v0.36.0
   with:
     scan-type: config
     hide-progress: true
@@ -886,12 +886,12 @@ Following inputs can be used as `step.with` keys:
 | `hide-progress`              | String  | `false`                            | Suppress progress bar and log output                                                                                                                             |
 | `list-all-pkgs`              | String  |                                    | Output all packages regardless of vulnerability                                                                                                                  |
 | `scanners`                   | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`)                                                                   |
-| `trivyignores`               | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files                                                                         |
+| `trivyignores`               | String  |                                    | comma-separated list of relative paths within the repository to one or more `.trivyignore` files, or a single `.trivyignore.yaml` file.                          |
 | `trivy-config`               | String  |                                    | Path to trivy.yaml config                                                                                                                                        |
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN          |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true**   |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
-| `version`                    | String  | `v0.69.1`                          | Trivy version to use, e.g. `latest` or `v0.69.1`                                                                                                                 |
+| `version`                    | String  | `v0.70.0`                          | Trivy version to use, e.g. `latest` or `v0.70.0`                                                                                                                 |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                         |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                                |
 

action.yaml

@@ -77,7 +77,7 @@ inputs:
     required: false
     default: ''
   trivyignores:
-    description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
+    description: 'comma-separated list of relative paths within the repository to one or more .trivyignore files, or a single .trivyignore.yaml file.'
     required: false
     default: ''
   github-pat:
@@ -98,7 +98,7 @@ inputs:
   version:
     description: 'Trivy version to use'
     required: false
-    default: 'v0.69.1'
+    default: 'v0.70.0'
   cache:
     description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
     required: false
@@ -126,7 +126,7 @@ runs:
       # "allowing select actions" feature can be used to whitelist the dependent action by a hash.
       # This is needed since some organizations have a policy to only allow pinned 3rd party actions to 
       # be used.
-      uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # equivalent to `v0.2.4`
+      uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.6
       with:
         version: ${{ inputs.version }}
         cache: ${{ inputs.cache }}
@@ -139,14 +139,14 @@ runs:
 
     - name: Restore DB from cache
       if: ${{ inputs.cache == 'true' }}
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ${{ inputs.cache-dir }}
         key: cache-trivy-${{ steps.date.outputs.date }}
         restore-keys: cache-trivy-
 
     - name: Set GitHub Path
-      run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
+      run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH # zizmor: ignore[github-env]
       shell: bash
       env:
         GITHUB_ACTION_PATH: ${{ github.action_path }}
@@ -161,6 +161,25 @@ runs:
 
     - name: Set Trivy environment variables
       shell: bash
+      env:
+        INPUT_INPUT: ${{ inputs.input }}
+        INPUT_EXIT_CODE: ${{ inputs.exit-code }}
+        INPUT_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
+        INPUT_VULN_TYPE: ${{ inputs.vuln-type }}
+        INPUT_SEVERITY: ${{ inputs.severity }}
+        INPUT_FORMAT: ${{ inputs.format }}
+        INPUT_TEMPLATE: ${{ inputs.template }}
+        INPUT_OUTPUT: ${{ inputs.output }}
+        INPUT_SKIP_DIRS: ${{ inputs.skip-dirs }}
+        INPUT_SKIP_FILES: ${{ inputs.skip-files }}
+        INPUT_TIMEOUT: ${{ inputs.timeout }}
+        INPUT_IGNORE_POLICY: ${{ inputs.ignore-policy }}
+        INPUT_HIDE_PROGRESS: ${{ inputs.hide-progress }}
+        INPUT_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
+        INPUT_SCANNERS: ${{ inputs.scanners }}
+        INPUT_TRIVY_CONFIG: ${{ inputs.trivy-config }}
+        INPUT_TF_VARS: ${{ inputs.tf-vars }}
+        INPUT_DOCKER_HOST: ${{ inputs.docker-host }}
       run: |
         # Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
         # This limitation affects how we handle default values and empty inputs.
@@ -175,41 +194,41 @@ runs:
         #
         # As noted above defaults are awkward to handle as GitHub Actions will inject those values as the input
         # if the caller doesn't provide them, thus if the input matches the default we don't set it as we
-        # can't tell the difference.  Plus if we did set it when it was the default value then it could potentially 
-        # override an external environment variable, or something in the callers configuration file, which then wouldn't 
+        # can't tell the difference.  Plus if we did set it when it was the default value then it could potentially
+        # override an external environment variable, or something in the callers configuration file, which then wouldn't
         # match the configuration priority that is documented.
         set_env_var_if_provided() {
           local var_name="$1"
           local input_value="$2"
           local default_value="$3"
-        
+
           if [ -n "$input_value" ] && [ "$input_value" != "$default_value" ]; then
             # If action was provided with explicit input by the caller set that
             # Use printf %q to safely escape special characters and prevent command injection
             printf 'export %s=%q\n' "$var_name" "$input_value" >> trivy_envs.txt
           fi
         }
-        
+
         # Set environment variables, handling those with default values
         # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
-        set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
-        set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
-        set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
-        set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
-        set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-        set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
-        set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
-        set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
-        set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
-        set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
-        set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
-        set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
-        set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
-        set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
-        set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
-        set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
-        set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
-        set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""
+        set_env_var_if_provided "TRIVY_INPUT" "$INPUT_INPUT" ""
+        set_env_var_if_provided "TRIVY_EXIT_CODE" "$INPUT_EXIT_CODE" ""
+        set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "$INPUT_IGNORE_UNFIXED" "false"
+        set_env_var_if_provided "TRIVY_PKG_TYPES" "$INPUT_VULN_TYPE" "os,library"
+        set_env_var_if_provided "TRIVY_SEVERITY" "$INPUT_SEVERITY" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+        set_env_var_if_provided "TRIVY_FORMAT" "$INPUT_FORMAT" "table"
+        set_env_var_if_provided "TRIVY_TEMPLATE" "$INPUT_TEMPLATE" ""
+        set_env_var_if_provided "TRIVY_OUTPUT" "$INPUT_OUTPUT" ""
+        set_env_var_if_provided "TRIVY_SKIP_DIRS" "$INPUT_SKIP_DIRS" ""
+        set_env_var_if_provided "TRIVY_SKIP_FILES" "$INPUT_SKIP_FILES" ""
+        set_env_var_if_provided "TRIVY_TIMEOUT" "$INPUT_TIMEOUT" ""
+        set_env_var_if_provided "TRIVY_IGNORE_POLICY" "$INPUT_IGNORE_POLICY" ""
+        set_env_var_if_provided "TRIVY_QUIET" "$INPUT_HIDE_PROGRESS" ""
+        set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "$INPUT_LIST_ALL_PKGS" "false"
+        set_env_var_if_provided "TRIVY_SCANNERS" "$INPUT_SCANNERS" ""
+        set_env_var_if_provided "TRIVY_CONFIG" "$INPUT_TRIVY_CONFIG" ""
+        set_env_var_if_provided "TRIVY_TF_VARS" "$INPUT_TF_VARS" ""
+        set_env_var_if_provided "TRIVY_DOCKER_HOST" "$INPUT_DOCKER_HOST" ""
 
     - name: Run Trivy
       shell: bash

entrypoint.sh

@@ -1,6 +1,9 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -euo pipefail
 
+# Allow overriding trivy binary via env
+TRIVY_CMD="${TRIVY_CMD:-trivy}"
+
 # Read TRIVY_* envs from file, previously they were written to the GITHUB_ENV file but GitHub Actions automatically 
 # injects those into subsequent job steps which means inputs from one trivy-action invocation were leaking over to 
 # any subsequent invocation which led to unexpected/undesireable behaviour from a user perspective
@@ -18,22 +21,55 @@ fi
 
 # Handle trivy ignores
 if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then
-  ignorefile="./trivyignores"
 
-  # Clear the ignore file if it exists, or create a new empty file
-  : > "$ignorefile"
+  yaml_count=0
+  plain_count=0
 
+  # Validate files and detect types
   for f in ${INPUT_TRIVYIGNORES//,/ }; do
-    if [ -f "$f" ]; then
-      echo "Found ignorefile '${f}':"
-      cat "${f}"
-      cat "${f}" >> "$ignorefile"
-    else
+    if [ ! -f "$f" ]; then
       echo "ERROR: cannot find ignorefile '${f}'." >&2
       exit 1
     fi
+
+    case "$f" in
+      *.yml|*.yaml) yaml_count=$((yaml_count + 1)) ;;
+      *) plain_count=$((plain_count + 1)) ;;
+    esac
   done
-  export TRIVY_IGNOREFILE="$ignorefile"
+
+  # Mixed types are not allowed
+  if [ "$yaml_count" -gt 0 ] && [ "$plain_count" -gt 0 ]; then
+    echo "ERROR: Cannot mix YAML and plain trivy ignore files." >&2
+    exit 1
+  fi
+
+  # YAML mode
+  if [ "$yaml_count" -gt 0 ]; then
+    if [ "$yaml_count" -gt 1 ]; then
+      echo "ERROR: Multiple YAML ignore files provided. Only one YAML file is supported." >&2
+      exit 1
+    fi
+
+    # Use the single YAML file
+    yaml_file=$(echo ${INPUT_TRIVYIGNORES//,/ } | awk '{print $1}')
+    echo "Using YAML ignorefile '$yaml_file':"
+    cat "$yaml_file"
+    export TRIVY_IGNOREFILE="$yaml_file"
+
+  else
+    # Plain mode (old behaviour)
+    ignorefile="./trivyignores"
+    : > "$ignorefile"
+
+    for f in ${INPUT_TRIVYIGNORES//,/ }; do
+      echo "Found ignorefile '$f':"
+      cat "$f"
+      cat "$f" >> "$ignorefile"
+    done
+
+    export TRIVY_IGNOREFILE="$ignorefile"
+  fi
 fi
 
 # Handle SARIF
@@ -47,7 +83,7 @@ if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
 fi
 
 # Run Trivy
-cmd=(trivy "$scanType" "$scanRef")
+cmd=("$TRIVY_CMD" "$scanType" "$scanRef")
 echo "Running Trivy with options: ${cmd[*]}"
 "${cmd[@]}"
 returnCode=$?

test/data/config-scan/report.json

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
   "Trivy": {
-    "Version": "0.69.1"
+    "Version": "0.70.0"
   },
   "ArtifactName": "test/data/config-scan",
   "ArtifactType": "filesystem",

test/data/secret-scan/report.json

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
   "Trivy": {
-    "Version": "0.69.1"
+    "Version": "0.70.0"
   },
   "ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
   "ArtifactName": "https://github.com/krol3/demo-trivy/",

test/data/with-tf-vars/report.json

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
   "Trivy": {
-    "Version": "0.69.1"
+    "Version": "0.70.0"
   },
   "ArtifactName": "test/data/with-tf-vars/main.tf",
   "ArtifactType": "filesystem",

test/data/with-trivy-yaml-cfg/report.json

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
   "Trivy": {
-    "Version": "0.69.1"
+    "Version": "0.70.0"
   },
   "ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
   "ArtifactName": "alpine:3.10",

test/data/with-trivy-yaml-cfg/trivy.yaml

@@ -1,5 +1,3 @@
-format: json
 severity: CRITICAL
 vulnerability:
-  type: os
-output: yamlconfig.json
+  type: os

test/data/with-yaml-ignore-file/.trivyignore.yaml

@@ -0,0 +1,3 @@
+vulnerabilities:
+  - id: CVE-2018-14618
+  - id: CVE-2018-16839

test/data/with-yaml-ignore-file/report

@@ -0,0 +1,102 @@
+
+Report Summary
+
+┌──────────────────────────────────────────┬────────┬─────────────────┬─────────┐
+│                  Target                  │  Type  │ Vulnerabilities │ Secrets │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ knqyf263/vuln-image:1.2.3 (alpine 3.7.1) │ alpine │       16        │    -    │
+├──────────────────────────────────────────┼────────┼─────────────────┼─────────┤
+│ rust-app/Cargo.lock                      │ cargo  │        4        │    -    │
+└──────────────────────────────────────────┴────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+
+
+knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
+========================================
+Total: 16 (CRITICAL: 16)
+
+┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
+├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ curl        │ CVE-2018-16840 │ CRITICAL │ fixed  │ 7.61.0-r0         │ 7.61.1-r1     │ curl: Use-after-free when closing "easy" handle in           │
+│             │                │          │        │                   │               │ Curl_close()                                                 │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16840                   │
+│             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
+│             │ CVE-2018-16842 │          │        │                   │               │ curl: Heap-based buffer over-read in the curl tool warning   │
+│             │                │          │        │                   │               │ formatting                                                   │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16842                   │
+│             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-3822  │          │        │                   │ 7.61.1-r2     │ curl: NTLMv2 type-3 header stack buffer overflow             │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3822                    │
+│             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-5481  │          │        │                   │ 7.61.1-r3     │ curl: double free due to subsequent call of realloc()        │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5481                    │
+│             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-5482  │          │        │                   │               │ curl: heap buffer overflow in function tftp_receive_packet() │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5482                    │
+├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ git         │ CVE-2018-17456 │          │        │ 2.15.2-r0         │ 2.15.3-r0     │ git: arbitrary code execution via .gitmodules                │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-17456                   │
+│             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-1353  │          │        │                   │ 2.15.4-r0     │ git: NTFS protections inactive when running Git in the       │
+│             │                │          │        │                   │               │ Windows Subsystem for...                                     │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
+├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: bzip2: Data integrity error when decompressing (with  │
+│             │                │          │        │                   │               │ data integrity tests fail)....                               │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
+├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ libcurl     │ CVE-2018-16840 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Use-after-free when closing "easy" handle in           │
+│             │                │          │        │                   │               │ Curl_close()                                                 │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16840                   │
+│             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
+│             │ CVE-2018-16842 │          │        │                   │               │ curl: Heap-based buffer over-read in the curl tool warning   │
+│             │                │          │        │                   │               │ formatting                                                   │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-16842                   │
+│             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-3822  │          │        │                   │ 7.61.1-r2     │ curl: NTLMv2 type-3 header stack buffer overflow             │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3822                    │
+│             ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-5481  │          │        │                   │ 7.61.1-r3     │ curl: double free due to subsequent call of realloc()        │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5481                    │
+│             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
+│             │ CVE-2019-5482  │          │        │                   │               │ curl: heap buffer overflow in function tftp_receive_packet() │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-5482                    │
+├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ musl        │ CVE-2019-14697 │          │        │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack     │
+│             │                │          │        │                   │               │ adjustment im ......                                         │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697                   │
+├─────────────┤                │          │        │                   │               │                                                              │
+│ musl-utils  │                │          │        │                   │               │                                                              │
+│             │                │          │        │                   │               │                                                              │
+│             │                │          │        │                   │               │                                                              │
+├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ sqlite-libs │ CVE-2019-8457  │          │        │ 3.21.0-r1         │ 3.25.3-r1     │ sqlite: heap out-of-bound read in function rtreenode()       │
+│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
+└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
+
+rust-app/Cargo.lock (cargo)
+===========================
+Total: 4 (CRITICAL: 4)
+
+┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
+├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed  │ 0.4.0             │ 0.4.2, 0.3.1  │ An issue was discovered in the rand_core crate before 0.4.2 │
+│           │                │          │        │                   │               │ for Rust....                                                │
+│           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-25576                  │
+├───────────┼────────────────┤          │        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ smallvec  │ CVE-2019-15551 │          │        │ 0.6.9             │ 0.6.10        │ An issue was discovered in the smallvec crate before 0.6.10 │
+│           │                │          │        │                   │               │ for Rust....                                                │
+│           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15551                  │
+│           ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
+│           │ CVE-2019-15554 │          │        │                   │               │ An issue was discovered in the smallvec crate before 0.6.10 │
+│           │                │          │        │                   │               │ for Rust....                                                │
+│           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15554                  │
+│           ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
+│           │ CVE-2021-25900 │          │        │                   │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
+│           │                │          │        │                   │               │ and 1.x...                                                  │
+│           │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
+└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

test/test.bats

@@ -1,41 +1,39 @@
 #!/usr/bin/env bats
 
+bats_load_library bats-support
+bats_load_library bats-assert
+bats_load_library bats-file
+
 setup_file() {
-  local owner=$GITHUB_REPOSITORY_OWNER
-  export TRIVY_DB_REPOSITORY=ghcr.io/${owner}/trivy-db-act:latest
-  export TRIVY_JAVA_DB_REPOSITORY=ghcr.io/${owner}/trivy-java-db-act:latest
-  export TRIVY_CHECKS_BUNDLE_REPOSITORY=ghcr.io/${owner}/trivy-checks-act:latest
-  export TRIVY_LIST_ALL_PKGS=false
+  setup_trivy_env
+  # bats provides fd 3 for printing directly to the terminal
+  # see https://bats-core.readthedocs.io/en/stable/writing-tests.html#printing-to-the-terminal
+  docker pull knqyf263/vuln-image:1.2.3 1>&3 2>&3
+  trivy image --no-progress --download-db-only 1>&3 2>&3
 }
 
 setup() {
-  bats_load_library bats-support
-  bats_load_library bats-assert
-  bats_load_library bats-file
+  export TRIVY_OUTPUT="$BATS_TEST_TMPDIR/output.test"
+  export TRIVY_SKIP_DB_UPDATE=true
+  export TRIVY_SKIP_JAVA_DB_UPDATE=true
 }
 
-function remove_json_fields() {
-  local file="$1"
-  if [[ "$file" == *.json ]]; then
-      jq 'del(.CreatedAt, .ReportID)' "$file" > tmp && mv tmp "$file"
-  fi
+teardown() {
+  reset_envs
 }
 
-function remove_sarif_fields() {
-  local file="$1"
-  if [[ "$file" == *.sarif ]]; then
-      jq 'del(.runs[].tool.driver.version) | del(.runs[].originalUriBaseIds)' "$file" > tmp && mv tmp "$file"
-  fi
+setup_trivy_env() {
+  export TRIVY_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-db@sha256:7f8b879d4c23469b09c874b18d64a7eedea95f0ce08ea1862a783dc8d799be6f"
+  export TRIVY_JAVA_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-java-db@sha256:f60faf3353edb6556f676c83c8b26d8a60398feab31ab2ec591537707a7354ba"
+  export TRIVY_CHECKS_BUNDLE_REPOSITORY="ghcr.io/aquasecurity/trivy-checks@sha256:b63166ca02aa09e30a5127320384d7bd0d2760dc19bab3ab7041a6070114ba45" # v2.2.0
+
+  export TRIVY_LIST_ALL_PKGS=false
+  export TRIVY_DISABLE_VEX_NOTICE=true
+  export TRIVY_SKIP_VERSION_CHECK=true
+  export TRIVY_DISABLE_TELEMETRY=true
 }
 
-function remove_github_fields() {
-  local file="$1"
-  if [[ "$file" == *.gsbom  ]]; then
-      jq 'del(.detector.version) | del(.scanned) | del(.job) | del(.ref) | del(.sha)' "$file" > tmp && mv tmp "$file"
-  fi
-}
-
-function reset_envs() {
+reset_envs() {
   local var
   for var in $(env | grep '^TRIVY_\|^INPUT_' | cut -d= -f1); do
     unset "$var"
@@ -43,133 +41,161 @@ function reset_envs() {
   rm -f trivy_envs.txt
 }
 
-function compare_files() {
-  local file1="$1"
-  local file2="$2"
+compare_files() {
+  local actual="$1"
+  local expected="$2"
 
   # Some fields should be removed as they are environment dependent 
   # and may cause undesirable results when comparing files.
-  remove_json_fields "$file1"
-  remove_json_fields "$file2"
-
-  remove_sarif_fields "$file1"
-  remove_sarif_fields "$file2"
-
-  remove_github_fields "$file1"
-  remove_github_fields "$file2"
+  normalize_report "$actual"
+  normalize_report "$expected"
   
   if [ "${UPDATE_GOLDEN}" = "1" ]; then
-    cp "$file1" "$file2"
-    echo "Updated golden file: $file2"
+    cp "$actual" "$expected"
+    echo "Updated golden file: $expected"
   else
-    run diff "$file1" "$file2"
+    run diff "$actual" "$expected"
     echo "$output"
-    assert_files_equal "$file1" "$file2"
+    assert_files_equal "$actual" "$expected"
   fi
 
-  rm -f "$file1"
+  rm -f "$actual"
+}
+
+
+normalize_report() {
+  local file="$1"
+
+  case "$TRIVY_FORMAT" in
+    json)
+      apply_jq_filter "$file" \
+        'del(.CreatedAt, .ReportID)'
+      ;;
+    sarif)
+      apply_jq_filter "$file" \
+        'del(.runs[].tool.driver.version)
+         | del(.runs[].originalUriBaseIds)'
+      ;;
+    github)
+      apply_jq_filter "$file" \
+        'del(.detector.version)
+         | del(.scanned)
+         | del(.job)
+         | del(.ref)
+         | del(.sha)'
+      ;;
+  esac
+}
+
+apply_jq_filter() {
+  local file="$1"
+  local filter="$2"
+  local tmp="$BATS_TEST_TMPDIR/jq.tmp"
+
+  jq "$filter" "$file" > "$tmp" && mv "$tmp" "$file"
+}
+
+run_test_case_compare() {
+  local expected_file="$1"
+
+  run ./entrypoint.sh
+  assert_success
+
+  compare_files "$TRIVY_OUTPUT" "$expected_file"
+}
+
+run_test_case_fails() {
+  local expected_msg="$1"
+
+  run ./entrypoint.sh
+  assert_failure
+
+  if [ -n "$expected_msg" ]; then
+    assert_output --partial "$expected_msg"
+  fi
 }
 
 @test "trivy repo with securityCheck secret only" {
   # trivy repo -f json -o repo.test --scanners=secret https://github.com/krol3/demo-trivy/
-  export TRIVY_FORMAT=json TRIVY_OUTPUT=repo.json TRIVY_SCANNERS=secret INPUT_SCAN_TYPE=repo INPUT_SCAN_REF="https://github.com/krol3/demo-trivy/"
-  ./entrypoint.sh
-  compare_files repo.json ./test/data/secret-scan/report.json
-  reset_envs
+  export TRIVY_FORMAT=json TRIVY_SCANNERS=secret INPUT_SCAN_TYPE=repo INPUT_SCAN_REF="https://github.com/krol3/demo-trivy/"
+  run_test_case_compare ./test/data/secret-scan/report.json
 }
 
 @test "trivy image" {
   # trivy image --severity CRITICAL -o image.test knqyf263/vuln-image:1.2.3
-  export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh
-  compare_files image.test ./test/data/image-scan/report
-  reset_envs
+  export TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
+  run_test_case_compare ./test/data/image-scan/report
 }
 
 @test "trivy config sarif report" {
   # trivy config -f sarif -o  config-sarif.test ./test/data/config-sarif-report
-  export TRIVY_FORMAT=sarif TRIVY_OUTPUT=config-sarif.sarif INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-sarif-report
-  ./entrypoint.sh
-  compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif
-  reset_envs
+  export TRIVY_FORMAT=sarif INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-sarif-report
+  run_test_case_compare ./test/data/config-sarif-report/report.sarif
 }
 
 @test "trivy config" {
   # trivy config -f json -o config.json ./test/data/config-scan
-  export TRIVY_FORMAT=json TRIVY_OUTPUT=config.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-scan
-  ./entrypoint.sh
-  compare_files config.json ./test/data/config-scan/report.json
-  reset_envs
+  export TRIVY_FORMAT=json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/config-scan
+  run_test_case_compare ./test/data/config-scan/report.json
 }
 
 @test "trivy rootfs" {
   # trivy rootfs --output rootfs.test ./test/data/rootfs-scan
   # TODO: add data
-  export TRIVY_OUTPUT=rootfs.test INPUT_SCAN_TYPE=rootfs INPUT_SCAN_REF=./test/data/rootfs-scan
-  ./entrypoint.sh
-  compare_files rootfs.test ./test/data/rootfs-scan/report
-  reset_envs
+  export INPUT_SCAN_TYPE=rootfs INPUT_SCAN_REF=./test/data/rootfs-scan
+  run_test_case_compare ./test/data/rootfs-scan/report
 }
 
 @test "trivy fs" {
   # trivy fs --output fs.test ./test/data/fs-scan
   # TODO: add data
-  export TRIVY_OUTPUT=fs.test INPUT_SCAN_TYPE=fs INPUT_SCAN_REF=./test/data/fs-scan
-  ./entrypoint.sh
-  compare_files fs.test ./test/data/fs-scan/report
-  reset_envs
+  export INPUT_SCAN_TYPE=fs INPUT_SCAN_REF=./test/data/fs-scan
+  run_test_case_compare ./test/data/fs-scan/report
 }
 
 @test "trivy image with trivyIgnores option" {
   # cat ./test/data/with-ignore-files/.trivyignore1 ./test/data/with-ignore-files/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL  --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
-  export TRIVY_OUTPUT=image-trivyignores.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_IMAGE_REF=knqyf263/vuln-image:1.2.3 INPUT_TRIVYIGNORES="./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2"
-  ./entrypoint.sh
-  compare_files image-trivyignores.test ./test/data/with-ignore-files/report
-  reset_envs
+  export TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_IMAGE_REF=knqyf263/vuln-image:1.2.3 INPUT_TRIVYIGNORES="./test/data/with-ignore-files/.trivyignore1,./test/data/with-ignore-files/.trivyignore2"
+  run_test_case_compare ./test/data/with-ignore-files/report
+}
+
+@test "trivy image with .trivyignore.yaml" {
+  # trivy image --severity CRITICAL  --output with-yaml-ignore-file.test --ignorefile ./test/data/with-yaml-ignore-file/.trivyignore.yaml
+  export TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_IMAGE_REF=knqyf263/vuln-image:1.2.3 INPUT_TRIVYIGNORES=./test/data/with-yaml-ignore-file/.trivyignore.yaml
+  run_test_case_compare ./test/data/with-yaml-ignore-file/report
 }
 
 @test "trivy image with sbom output" {
   # trivy image --format github knqyf263/vuln-image:1.2.3
-  export TRIVY_FORMAT=github TRIVY_OUTPUT=github-dep-snapshot.gsbom INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
-  ./entrypoint.sh
-  compare_files github-dep-snapshot.gsbom ./test/data/github-dep-snapshot/report.gsbom
-  reset_envs
+  export TRIVY_FORMAT=github INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3
+  run_test_case_compare ./test/data/github-dep-snapshot/report.gsbom
 }
 
 @test "trivy image with trivy.yaml config" {
   # trivy --config=./test/data/with-trivy-yaml-cfg/trivy.yaml image alpine:3.10
-  export TRIVY_CONFIG=./test/data/with-trivy-yaml-cfg/trivy.yaml INPUT_SCAN_TYPE=image INPUT_SCAN_REF=alpine:3.10
-  ./entrypoint.sh
-  compare_files yamlconfig.json ./test/data/with-trivy-yaml-cfg/report.json
-  reset_envs
+  export TRIVY_CONFIG=./test/data/with-trivy-yaml-cfg/trivy.yaml TRIVY_FORMAT=json INPUT_SCAN_TYPE=image INPUT_SCAN_REF=alpine:3.10
+  run_test_case_compare ./test/data/with-trivy-yaml-cfg/report.json
 }
 
 @test "trivy image with custom docker-host" {
   # trivy image --docker-host unix:///var/run/docker.sock --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
-  export TRIVY_OUTPUT=image.test TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3 TRIVY_DOCKER_HOST=unix:///var/run/docker.sock
-  ./entrypoint.sh
-  compare_files image.test ./test/data/image-scan/report
-  reset_envs
+  export TRIVY_SEVERITY=CRITICAL INPUT_SCAN_TYPE=image INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3 TRIVY_DOCKER_HOST=unix:///var/run/docker.sock
+  run_test_case_compare ./test/data/image-scan/report
 }
 
 @test "trivy config with terraform variables" {
   # trivy config -f json -o tfvars.json --severity  MEDIUM  --tf-vars  ./test/data/with-tf-vars/dev.tfvars ./test/data/with-tf-vars/main.tf
-  export TRIVY_FORMAT=json TRIVY_SEVERITY=MEDIUM TRIVY_OUTPUT=tfvars.json INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/with-tf-vars/main.tf TRIVY_TF_VARS=./test/data/with-tf-vars/dev.tfvars
-  ./entrypoint.sh
-  compare_files tfvars.json ./test/data/with-tf-vars/report.json
-  reset_envs
+  export TRIVY_FORMAT=json TRIVY_SEVERITY=MEDIUM INPUT_SCAN_TYPE=config INPUT_SCAN_REF=./test/data/with-tf-vars/main.tf TRIVY_TF_VARS=./test/data/with-tf-vars/dev.tfvars
+  run_test_case_compare ./test/data/with-tf-vars/report.json
 }
 
 @test "trivy image via environment file" {
   # trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
   # Action injects inputs into the script via environment variables
-  echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
   echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
   echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
   echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt 
-  ./entrypoint.sh
-  compare_files image.test ./test/data/image-scan/report
-  reset_envs
+  run_test_case_compare ./test/data/image-scan/report
 }
 
 @test "trivy image via environment file overrides env leakages" {
@@ -178,11 +204,70 @@ function compare_files() {
   # If caller mixes old and new trivy-action version they could still have env leakage so verify that env vars already
   # in the env are overridden by those from the envs file
   export INPUT_SCAN_REF=no/such-image:1.2.3
-  echo "export TRIVY_OUTPUT=image.test" >> trivy_envs.txt
   echo "export TRIVY_SEVERITY=CRITICAL" >> trivy_envs.txt
   echo "export INPUT_SCAN_TYPE=image" >> trivy_envs.txt
   echo "export INPUT_SCAN_REF=knqyf263/vuln-image:1.2.3" >> trivy_envs.txt 
-  ./entrypoint.sh
-  compare_files image.test ./test/data/image-scan/report
-  reset_envs
-}
+  run_test_case_compare ./test/data/image-scan/report
+}
+
+@test "error if ignorefile does not exist" {
+  local missing_file="$BATS_TEST_TMPDIR/missing.ignore"
+
+  export INPUT_TRIVYIGNORES="$missing_file" \
+         INPUT_SCAN_TYPE=fs \
+         INPUT_SCAN_REF=./test/data/fs-scan
+
+  run_test_case_fails "cannot find ignorefile '$missing_file'"
+}
+
+@test "error with mixed yaml and plain ignore files" {
+  local plain_ignore="$BATS_TEST_TMPDIR/ignore-plain"
+  local yaml_ignore="$BATS_TEST_TMPDIR/ignore.yaml"
+  
+  touch "$plain_ignore" "$yaml_ignore"
+
+  export INPUT_TRIVYIGNORES="$plain_ignore,$yaml_ignore" \
+         INPUT_SCAN_TYPE=fs \
+         INPUT_SCAN_REF=./test/data/fs-scan
+
+  run_test_case_fails "Cannot mix YAML and plain trivy ignore files"
+}
+
+@test "error if multiple YAML files provided" {
+  local yaml1="$BATS_TEST_TMPDIR/ignore1.yaml"
+  local yaml2="$BATS_TEST_TMPDIR/ignore2.yaml"
+  touch "$yaml1" "$yaml2"
+
+  export INPUT_TRIVYIGNORES="$yaml1,$yaml2" \
+         INPUT_SCAN_TYPE=fs \
+         INPUT_SCAN_REF=./test/data/fs-scan
+
+  run_test_case_fails "Multiple YAML ignore files provided"
+}
+
+@test "works with a single YAML file" {
+  local yaml="$BATS_TEST_TMPDIR/ignore.yaml"
+  touch "$yaml"
+
+  export INPUT_TRIVYIGNORES="$yaml" \
+         INPUT_SCAN_TYPE=fs \
+         INPUT_SCAN_REF=./test/data/fs-scan
+
+  run ./entrypoint.sh
+  assert_output --partial "Using YAML ignorefile '$yaml'"
+}
+
+@test "works with multiple plain ignore files" {
+  local plain1="$BATS_TEST_TMPDIR/ignore1"
+  local plain2="$BATS_TEST_TMPDIR/ignore2"
+  echo "CVE-1" > "$plain1"
+  echo "CVE-2" > "$plain2"
+
+  export INPUT_TRIVYIGNORES="$plain1,$plain2" \
+         INPUT_SCAN_TYPE=fs \
+         INPUT_SCAN_REF=./test/data/fs-scan
+
+  run ./entrypoint.sh
+  assert_output --partial "Found ignorefile '$plain1'"
+  assert_output --partial "Found ignorefile '$plain2'"
+}

zizmor.yaml

@@ -0,0 +1,5 @@
+rules:
+  # GitHub environments are not currently used, so secrets are accessed outside of them.
+  # See: https://docs.zizmor.sh/audits/#secrets-outside-env
+  secrets-outside-env:
+    disable: true