github-actions/trivy-image-scan/action.yml at c642809b2aae89f9ddc8d033d9b765df3f3b2e24 · hypertrace/github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Trivy Image Scan
description: 'Trivy Image Scan'
inputs:
  image:
    description: 'image name'
    required: true
  tag:
    description: 'image tag'
    required: false
  ignore-unfixed:
    description: 'ignore unfixed vulnerabilities'
    required: true
    default: 'true'
  vuln-type:
    description: 'comma-separated list of vulnerability types (os,library)'
    required: true
    default: 'os,library'
  severity:
    description: 'severities of vulnerabilities to be displayed'
    required: true
    default: 'HIGH,CRITICAL'
  timeout:
    description: 'timeout (default 5m0s)'
    required: true
    default: '5m0s'
  trivyignores:
    description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
    required: true
    default: '.trivyignore'
  output-mode:
    description: 'Upload to github security via sarif format (github), or output to a file named "trivy.json" (json), or log pretty print output (log)'
    required: true
    default: 'log'
  category:
    description: String used by Code Scanning for matching the analyses
    required: false
    default: ''
runs:
  using: "composite"
  steps:
    - uses: gradle/gradle-build-action@v2
      if: inputs.tag == ''

    - name: Determine container tag
      id: tag
      shell: bash
      run: |
        if [ -n "${{ inputs.tag }}" ]; then
          echo "TRIVY_IMAGE_TAG=${{ inputs.tag }}" >> $GITHUB_OUTPUT
        else
          echo "TRIVY_IMAGE_TAG=$(./gradlew -q printDockerImageDefaultTag | head -1)" >> $GITHUB_OUTPUT
        fi

    - name: Set up output values
      id: output
      shell: bash
      run: |
        TRIVY_FORMAT=""
        TRIVY_OUTPUT=""
        if [ "${{ inputs.output-mode }}" = "github" ]; then
          TRIVY_FORMAT="sarif"
          TRIVY_OUTPUT="''trivy-results.sarif''"
        elif [ "${{ inputs.output-mode }}" = "json" ]; then
          TRIVY_FORMAT="json"
          TRIVY_OUTPUT="trivy-results.json"
        elif [ "${{ inputs.output-mode }}" = "log" ]; then
          TRIVY_FORMAT="table"
        fi
        if [ "${{ github.event_name }}" = "pull_request" -a "${{ github.event.pull_request.head.repo.fork }}" = "true" ]; then
          TRIVY_FORMAT="table"
          TRIVY_OUTPUT=""
        fi
        echo "TRIVY_FORMAT=$TRIVY_FORMAT" >> $GITHUB_OUTPUT
        echo "TRIVY_OUTPUT=$TRIVY_OUTPUT" >> $GITHUB_OUTPUT

    - name: Default ignore file if not exist
      if: inputs.trivyignores == '.trivyignore' # If a non-default ignore is passed, then we can assume it exists
      shell: bash
      run: |
        touch .trivyignore

    - name: merge ignore files
      shell: bash
      run: |
        echo >> .trivyignore # add new line to handle case of no trailing new line in exisiting ignore file
        cat $GITHUB_ACTION_PATH/.trivyignore >> .trivyignore

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        trivyignores: ${{ inputs.trivyignores }}
        image-ref: ${{ inputs.image }}:${{ steps.tag.outputs.TRIVY_IMAGE_TAG }}
        format: ${{ steps.output.outputs.TRIVY_FORMAT }}
        output: ${{ steps.output.outputs.TRIVY_OUTPUT }}
        vuln-type: ${{ inputs.vuln-type }}
        severity: ${{ inputs.severity }}
        ignore-unfixed: ${{ inputs.ignore-unfixed }}
        timeout: ${{ inputs.timeout }}
        limit-severities-for-sarif: true
        exit-code: '1'
      env:
        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db

    - name: Rerun Trivy vulnerability scanner with logging
      if: failure() && inputs.output-mode != 'log'
      uses: aquasecurity/trivy-action@master
      with:
        trivyignores: ${{ inputs.trivyignores }}
        image-ref: ${{ inputs.image }}:${{ steps.tag.outputs.TRIVY_IMAGE_TAG }}
        format: table
        vuln-type: ${{ inputs.vuln-type }}
        severity: ${{ inputs.severity }}
        ignore-unfixed: ${{ inputs.ignore-unfixed }}
        timeout: ${{ inputs.timeout }}
        exit-code: '1'
      env:
        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: (success() || failure()) && inputs.output-mode == 'github' && steps.output.outputs.TRIVY_OUTPUT != '' && inputs.category == ''
      with:
        sarif_file: ${{ steps.output.outputs.TRIVY_OUTPUT }}

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: (success() || failure()) && inputs.output-mode == 'github' && steps.output.outputs.TRIVY_OUTPUT != '' && inputs.category != ''
      with:
        sarif_file: ${{ steps.output.outputs.TRIVY_OUTPUT }}
        category: ${{ inputs.category }}