Skip to content

trivy-scan-dispatch #895

trivy-scan-dispatch

trivy-scan-dispatch #895

##
# This action runs Trivy container and repository vulnerability
# scanner for Docker images and filesystem.
##
name: trivy-security-scan
on:
repository_dispatch:
types: [trivy-scan-dispatch]
jobs:
trivy_scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Image availability check with retry logic
- name: Check Docker image availability with retry
id: check-image
if: github.event.client_payload.image != ''
run: |
image="${{ github.event.client_payload.image }}"
interval=300
retry_limit=5
attempt=0
while ! docker pull $image; do
attempt=$((attempt + 1))
if [ "$attempt" -gt "$retry_limit" ]; then
echo "::error::Image $image is not available after $retry_limit attempts."
exit 1
fi
echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..."
sleep $interval
done
echo "Image $image is now available."
# Image scanning
- name: Run Trivy vulnerability scanner on image
if: github.event.client_payload.image != ''
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: ${{ github.event.client_payload.image }}
cache: 'true'
format: "sarif"
output: "trivy-image-results.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
env:
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# Upload image scan results
- name: Upload Trivy image scan results
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: "trivy-image-results.sarif"
category: trivy-image
# Filesystem scanning
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
scan-type: 'fs'
cache: 'true'
format: 'sarif'
output: 'trivy-fs-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
env:
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# Upload filesystem scan results
- name: Upload Trivy filesystem scan results
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: 'trivy-fs-results.sarif'
category: trivy-fs