From d2a392a13760cb64cb6bbd31d4bed2a7d9a5298d Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 25 Oct 2024 12:45:28 +0600 Subject: [PATCH] fix: bump `setup-trivy` and add new `contrib` directory path info (#424) * chore(deps): use fork for setup-trivy * docs: add info about templates * refactor: use `setup-trivy` v0.2.2 * docs: remove `./` prefix * Merge branch 'main' into 'fix/contrib-dir' * docs: fix link * docs: fix typo Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --------- Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> --- README.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 16a07f5..5681401 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ * [Cache](#cache) * [Trivy Setup](#trivy-setup) * [Scanning a Tarball](#scanning-a-tarball) + * [Using Trivy with templates](#using-trivy-with-templates) * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning) * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo) * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories) @@ -323,6 +324,64 @@ jobs: severity: 'CRITICAL,HIGH' ``` +### Using Trivy with templates +The action supports [Trivy templates][trivy-templates]. + +Use `template` input to specify path (remember to prefix the path with `@`) to template file. + +```yaml +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: . + format: 'template' + template: "@path/to/my_template.tpl" +``` + +#### Default templates +Trivy has [default templates][trivy-default-templates]. + +By default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory. + +```yaml +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: . + format: 'template' + template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl" +``` + ### Using Trivy with GitHub Code Scanning If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows: ```yaml @@ -771,7 +830,7 @@ Following inputs can be used as `step.with` keys: | `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) | -| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) | | `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | @@ -791,7 +850,7 @@ Following inputs can be used as `step.with` keys: | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values | -| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` | +| `version` | String | `v0.56.2` | Trivy version to use, e.g. `latest` or `v0.56.2` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | @@ -809,3 +868,5 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables [trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ +[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template +[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates