Skip to content

trivy-scan-dispatch #707

trivy-scan-dispatch

trivy-scan-dispatch #707

##
# This action runs trivy container and repository vulnerability
# scanner for docker images and cargo packages.
##
name: trivy-security-scan
on:
repository_dispatch:
types: [ trivy-scan-dispatch ]
jobs:
wait-for-image:
runs-on: ubuntu-latest
outputs:
image-available: ${{ steps.check-image.outputs.available }}
steps:
- name: Check Docker image availability with retry
run: |
image="${{ github.event.client_payload.image }}"
timeout=900 # Timeout in seconds (15 minutes)
interval=300 # Interval between retries in seconds (5 minutes)
retry_limit=5 # Number of retries
attempt=0
while ! docker pull $image; do
attempt=$((attempt + 1))
if [ "$attempt" -gt "$retry_limit" ]; then
echo "Image $image is not available after $retry_limit attempts."
echo "::set-output name=available::false"
exit 1
fi
echo "Attempt $attempt: Waiting for $image to be available. Retrying in $interval seconds..."
sleep $interval
done
echo "$image is now available."
echo "::set-output name=available::true"
shell: bash
trivy_scan_image:
needs: wait-for-image
if: needs.wait-for-image.outputs.image-available == 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner on image
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # @v0.19.0
with:
image-ref: ${{ github.event.client_payload.image }}
format: "sarif"
output: "trivy-results.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1
with:
sarif_file: "trivy-results.sarif"
trivy_scan_repo:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # @v0.19.0
with:
scan-type: fs
ignore-unfixed: true
format: sarif
output: trivy-results.sarif
severity: CRITICAL
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: trivy-results.sarif