Skip to content

thadiust/trivy-scan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yml
action.yml
 
 

Repository files navigation

trivy-scan

Composite GitHub Action that runs Trivy in Wave 1 style:

  • mode=fstrivy fs (filesystem scan).
  • mode=configtrivy config (IaC/config scan).
  • mode=both → runs both and merges SARIF runs into one report.

The action always produces machine-readable JSON internally to compute finding_count, and optionally writes a SARIF 2.1 report for upload via github/codeql-action/upload-sarif.

Caller responsibilities

  • Run on ubuntu-latest (Linux amd64 tarball install). jq must be available (included on GitHub-hosted runners; install it on self-hosted runners).
  • actions/checkout must run before this action.

Behavior

  • 0 findingsscan_status=clean, step succeeds.
  • ≥ 1 findingscan_status=findings_found. If fail_on_findings=true, the step exits 1.
  • Scanner/runtime errorsscan_status=scanner_error, step exits 2.

Inputs

Input Default Description
trivy_version 0.69.3 Release version (no v prefix); must match a real Trivy release.
working_directory . Directory to scan (relative to repo root).
mode both fs, config, or both.
paths . Space-separated paths relative to working_directory.
severity HIGH,CRITICAL Comma-separated severities.
ignore_unfixed true If true, pass --ignore-unfixed to trivy fs only (vulnerability scanner). Ignored for trivy config (misconfig has no unfixed vuln concept).
fail_on_findings true If true, exit 1 when findings exist.
write_sarif false If true, write SARIF to sarif_filename.
sarif_filename trivy-results.sarif Path relative to working_directory.

Outputs

Output Description
finding_count Total findings across the selected scan mode(s).
scan_status clean, findings_found, or scanner_error.
sarif_path Repo-relative path to SARIF when write_sarif=true; empty otherwise.

Example

- uses: actions/checkout@v4

- uses: thadiust/trivy-scan@main
  with:
    working_directory: "."
    mode: "both"
    paths: "."
    severity: "HIGH,CRITICAL"
    ignore_unfixed: true
    write_sarif: true
    sarif_filename: "reports/trivy-results.sarif"
    fail_on_findings: true

Publish this repository (first time)

workflow-python references uses: thadiust/trivy-scan@main. This folder is its own git repository (not the parent security-pipeline workspace).

  1. On GitHub: New repository → name trivy-scan, owner thadiust, empty (no README / .gitignore from the UI).
  2. From this directory:
cd /path/to/trivy-scan
git remote add origin https://github.com/thadiust/trivy-scan.git   # skip if already added
git push -u origin main
  1. After the first push, thadiust/trivy-scan@main resolves and workflow-python CI can use it.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors