t.behrendt/sec-workflows
1
0
Fork 0
Code Issues 2 Pull Requests 4 Actions Releases Activity

sync

Browse Source
This commit is contained in:
Timo Behrendt
2026-03-25 18:54:57 +01:00
parent bdbbf62d54
commit 276e99b893
3 changed files with 118 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
README.md
View File

@@ -1,10 +1,16 @@
# Trivy Workflows
# Sec Workflows
## Run Trivy Scan (reusable workflow)
## Run Sec Scan (reusable workflow)
Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`).
Reusable workflow that restores the [OSV-Scanner](https://google.github.io/osv-scanner/) offline vulnerability database via **`setup-osv-db`**, runs **`osv-scanner scan source`** with **`--offline-vulnerabilities`**, and publishes a single SARIF artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`).
**Workflow file:** [../.gitea/workflows/run-trivy-scan.yaml](../.gitea/workflows/run-trivy-scan.yaml)
Scanning uses [Google OSV](https://osv.dev/) data (not Trivy). The scanner runs **only** inside Docker with **no container network**, a **read-only** root filesystem (plus a small **`tmpfs`** for `/tmp`), **all capabilities dropped**, and **`no-new-privileges`**. The workspace and the local OSV DB are bind-mounted **read-only**; SARIF is written to a dedicated host directory mounted read-write at `/out` in the container.
**Workflow file:** [.gitea/workflows/run-sec-scan.yaml](.gitea/workflows/run-sec-scan.yaml)
### Offline DB (`setup-osv-db`)
The workflow uses the **`setup-osv-db`** action from the **`sec-actions`** repository (replacing the former `trivy-actions` / `setup-trivy` flow). That action prepares `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` for use with `--offline-vulnerabilities` (see [OSV-Scanner offline mode](https://google.github.io/osv-scanner/usage/offline-mode/)).
## Usage
@@ -12,82 +18,69 @@ Reusable workflow that optionally runs Trivy config and/or image scan, merges th
```yaml
jobs:
trivy:
uses: ./.gitea/workflows/run-trivy-scan.yaml
sec:
uses: ./.gitea/workflows/run-sec-scan.yaml
with:
scan-config: true
scan-images: true
image-scan-files: |
- k8s/31_deployment_redis.yaml
- k8s/32_deployment_gitea.yaml
- dockers/runner/compose.yaml
trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
ecosystems: PyPI,npm,Go
cache-bucket-hours: 6
use-sarif:
needs: trivy
needs: sec
runs-on: ubuntu-latest
steps:
- name: Download merged SARIF
- name: Download SARIF
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
with:
name: ${{ needs.trivy.outputs.merged-sarif-artifact }}
name: ${{ needs.sec.outputs.merged-sarif-artifact }}
path: sarif
# Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
# Path to file: sarif/${{ needs.sec.outputs.merged-sarif-path }}
# - uses: .../tas-upload-sarif@...
# with:
# sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
# sarif-file: sarif/${{ needs.sec.outputs.merged-sarif-path }}
```
### Call from another repository
Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../trivy-actions/run-trivy-scan@ref`.
Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../sec-actions/run-sec-scan@ref`.
**With absolute URL:**
```yaml
jobs:
trivy:
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
sec:
uses: https://gitea.t000-n.de/t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
with:
ref: 1.4.5 # use same ref as in 'uses' so actions load from trivy-actions
scan-config: true
scan-images: true
image-scan-files: |
- k8s/31_deployment_redis.yaml
trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
ecosystems: github-actions,npm,go,Alpine
```
**With owner/repo path** (same server as the caller):
```yaml
jobs:
trivy:
uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
sec:
uses: t.behrendt/sec-workflows/.gitea/workflows/run-sec-scan.yaml@1.0.0
with:
ref: 1.4.5 # use same ref as in 'uses'
scan-config: true
scan-images: true
image-scan-files: |
- k8s/31_deployment_redis.yaml
ecosystems: github-actions,npm,go,docker
```
When calling from another repo, pass **`ref`** with the same ref as in the workflow path (e.g. `@1.4.5` or commit SHA). The workflow checks out trivy-actions at that ref into `trivy-actions/` and then uses the actions from that checkout (e.g. `./trivy-actions/setup-trivy`).
Pin the same tag or commit in `uses:` that you intend to run. Reusable actions referenced **inside** this workflow (for example `sec-actions/setup-osv-db`) are pinned in the workflow file; update that repo reference when you release new **sec-actions** versions.
### Inputs
| Input | Type | Default | Description |
| ------------------- | ------- | ------- | ----------- |
| `scan-config` | boolean | false | Run Trivy config scan on the repository root. |
| `scan-images` | boolean | false | Run Trivy image scan on images from `image-scan-files`. |
| `image-scan-files` | string | "" | YAML list of files to extract container images from. |
| `trivy-server-url` | string | "" | Optional Trivy server URL for image scan. |
| `ref` | string | "main" | Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo. |
| `repository-url` | string | "https://gitea.t000-n.de/t.behrendt/trivy-actions.git" | Clone URL for trivy-actions; for private repos use a URL with token or SSH. |
At least one of `scan-config` or `scan-images` must be true. If `scan-images` is true, set `image-scan-files`.
| Input | Type | Default | Description |
| --------------------- | ------ | ----------------------------------- | --------------------------------------------------------------------------- |
| `ecosystems` | string | `github-actions,npm,go,docker` | Passed to **`setup-osv-db`** (`docker` maps to **Linux** in that action). |
| `cache-bucket-hours` | number | `24` | Passed to **`setup-osv-db`** for `actions/cache` key bucketing. |
| `osv-scanner-image` | string | `ghcr.io/google/osv-scanner:latest` | Image for the hardened **`docker run`** (offline scan; no network in run). Pin a digest or tag for reproducibility. |
### Outputs
| Output | Description |
| ------------------------ | ----------- |
| `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). |
| `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). |
| Output | Description |
| ----------------------- | ------------------------------------------------------------------- |
| `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). |
| `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). |
After downloading the artifact, the merged SARIF file is at `<download-path>/${{ needs.<job>.outputs.merged-sarif-path }}`.
After downloading the artifact, the SARIF file is at `<download-path>/${{ needs.<job>.outputs.merged-sarif-path }}`.
## Migration from Trivy
Earlier revisions used **Trivy** (`setup-trivy`, `setup-db` from **trivy-actions**) for config, filesystem, and image scans. This workflow now targets **OSV-Scanner** source scans with an **offline OSV database** only. Replacing IaC or container-image vulnerability semantics may require additional tooling outside this repository.