Github Action for running trivy scans
stordco/actions-trivy is used to run trivy scans with various scan types. The current scan types supported:
- name: Trivy scan in fs mode
uses: stordco/[email protected]
with:
scan-type: 'fs'
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}| name | description | default value |
|---|---|---|
github-token |
(optional) Should be set to secrets.GH_PERSONAL_ACCESS_TOKEN in order to interact with Github API. If not set, then PR comments will not be uploaded with the scan output. |
"" |
scan-type |
(required) Specifies the type of scan to be performed (e.g., fs for filesystem scan). |
|
slack-bot-token |
(optional) Should be set to secrets.SLACK_BOT_TOKEN to send messages through Github Actions. If not set, then slack messages will not be posted. |
"" |
slack-channel-id |
(optional) Set to the desired Slack channel ID to receive alerts. If not set, then slack messages will not be posted. | "" |
| name | description | default value |
|---|---|---|
artifact-url |
Returns link to trivy scan artifact. Main branch artifacts are retained for 90 days while others are retained for 1 day. |
For default usage:
- When a merge into the
mainbranch occurs that containsCRITICALvulnerabilities, a notification will be sent to the#trivy-alertsSlack channel containing the number of critical vulnerabilities detected and a link to the full trivy scan report artifact. - When any vulnerabilities
(UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)are detected on PR builds, a comment will be posted to the PR including the full output of the OS and library vulnerabilities detected based on themix.lockdependencies.
- name: Trivy Image Scan
uses: stordco/actions-trivy@v1
with:
scan-type: image
image-ref: gcr.io/stord-ci/app-base:1.2.3_d5cd08e
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
slack-channel-id: ${{ secrets.SLACK_SECURITY_ALERTS }} - name: Trivy Image Scan
uses: stordco/actions-trivy@v1
with:
scan-type: image
image-ref: gcr.io/stord-ci/app-base:1.2.3_d5cd08e
matrix-id: unique-identifier
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
slack-channel-id: ${{ secrets.SLACK_SECURITY_ALERTS }}| name | description | default value |
|---|---|---|
github-token |
(optional) Should be set to secrets.GH_PERSONAL_ACCESS_TOKEN in order to interact with Github API. If not set, then PR comments will not be uploaded with the scan output. |
"" |
image-ref |
(optional) Specifies the Docker image to be scanned | "" |
matrix-id |
(optional) If matrix jobs are being leveraged, add in an unique matrix job identifier to be leveraged for the notifications. | "" |
scan-type |
(required) Specifies the type of scan to be performed (e.g., image for container image scan). |
|
slack-bot-token |
(optional) Should be set to secrets.SLACK_BOT_TOKEN to send messages through Github Actions. If not set, then slack messages will not be posted. |
"" |
slack-channel-id |
(optional) Set to the desired Slack channel ID to receive alerts. If not set, then slack messages will not be posted. | "" |
| name | description | default value |
|---|---|---|
artifact-url |
Returns link to trivy scan artifact. Main branch artifacts are retained for 90 days while others are retained for 1 day. |
For default usage:
- When a merge into the
mainbranch occurs that containsCRITICALvulnerabilities, a notification will be sent to the#trivy-alertsSlack channel containing the number of critical vulnerabilities detected and a link to the full trivy scan report artifact. - When any vulnerabilities
(UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)are detected on PR builds, a comment will be posted to the PR including the full output of the OS, library vulnerabilities and secrets detected found on the container image.
Releases are handled via release-please. Once a PR is merged, a new PR will be created that bumps all the versions. When that PR is merged the new release will be created and published for consumption.