Problem
Several security vulnerabilities and issues were identified across the run-trivy and install-trivy actions beyond the ignored_licenses fix in #9.
run-trivy
- Word splitting:
skip_dirs and skip_files inputs used unquoted expansion, which could cause incorrect behavior with paths containing spaces
- Log injection: Trivy output was echoed without
::stop-commands:: guards, allowing workflow command injection via crafted scan output
install-trivy
- Code injection:
${{ inputs.version }} was interpolated directly into the shell script
- Deprecated
apt-key: apt-key add is deprecated since Ubuntu 22.04 and may fail on newer runners
- Duplicate sources:
tee -a appends duplicate entries to the sources list on repeated runs
Fix
- Use
${VAR:+--flag "$VAR"} for skip_dirs/skip_files to prevent word splitting
- Wrap Trivy output in
::stop-commands:: guards to prevent log injection
- Move
version input to an env variable
- Replace
apt-key with gpg --dearmor into /etc/apt/keyrings/ with signed-by
- Use
tee without -a
Problem
Several security vulnerabilities and issues were identified across the
run-trivyandinstall-trivyactions beyond theignored_licensesfix in #9.run-trivy
skip_dirsandskip_filesinputs used unquoted expansion, which could cause incorrect behavior with paths containing spaces::stop-commands::guards, allowing workflow command injection via crafted scan outputinstall-trivy
${{ inputs.version }}was interpolated directly into the shell scriptapt-key:apt-key addis deprecated since Ubuntu 22.04 and may fail on newer runnerstee -aappends duplicate entries to the sources list on repeated runsFix
${VAR:+--flag "$VAR"}forskip_dirs/skip_filesto prevent word splitting::stop-commands::guards to prevent log injectionversioninput to an env variableapt-keywithgpg --dearmorinto/etc/apt/keyrings/withsigned-byteewithout-a