From 4b9138d8f8e5064d2953b4b2b7afda38407dcd0f Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Wed, 25 Feb 2026 22:30:42 +0100 Subject: [PATCH] feat: add run-trivy-scan (#2) Reviewed-on: https://gitea.t000-n.de/t.behrendt/trivy-workflows/pulls/2 Co-authored-by: Timo Behrendt Co-committed-by: Timo Behrendt --- .gitea/workflows/run-trivy-scan.yaml | 165 +++++++++++++++++++++++++++ README.md | 93 ++++++++++++++- 2 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 .gitea/workflows/run-trivy-scan.yaml diff --git a/.gitea/workflows/run-trivy-scan.yaml b/.gitea/workflows/run-trivy-scan.yaml new file mode 100644 index 0000000..d6486b1 --- /dev/null +++ b/.gitea/workflows/run-trivy-scan.yaml @@ -0,0 +1,165 @@ +name: Run Trivy Scan + +on: + workflow_call: + inputs: + scan-config: + description: "Run Trivy config scan (repository root)." + required: false + type: boolean + default: false + scan-images: + description: "Run Trivy image scan on images from image-scan-files." + required: false + type: boolean + default: false + image-scan-files: + description: "YAML list of files to extract container images from. Used when scan-images is true." + required: false + type: string + default: "" + trivy-server-url: + description: "Optional Trivy server URL for image scan." + required: false + type: string + default: "" + outputs: + merged-sarif-artifact: + description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)." + value: ${{ jobs.merge.outputs.merged-sarif-artifact }} + merged-sarif-path: + description: "Path to the merged SARIF file inside the artifact (merged-sarif.json)." + value: ${{ jobs.merge.outputs.merged-sarif-path }} + +jobs: + config-scan: + if: inputs.scan-config + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 + - run: | + trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json . + env: + TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy + - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 + with: + name: config-sarif + path: config-sarif.json + + image-scan: + if: inputs.scan-images + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 + - name: Get images from files + id: get-images + uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.4 + with: + files: ${{ inputs.image-scan-files }} + - name: Pull images + if: steps.get-images.outputs.images != '[]' + run: | + set -e + images='${{ steps.get-images.outputs.images }}' + for img in $(echo "$images" | jq -r '.[]'); do + docker pull "$img" + done + - name: Scan images + id: scan + if: steps.get-images.outputs.images != '[]' + run: | + set -e + images='${{ steps.get-images.outputs.images }}' + count=$(echo "$images" | jq 'length') + if [ "$count" -eq 0 ]; then + echo "count=0" >> "$GITHUB_OUTPUT" + exit 0 + fi + i=0 + server="${{ inputs.trivy-server-url }}" + for img in $(echo "$images" | jq -r '.[]'); do + args=(image --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img") + [ -n "$server" ] && args+=(--server "$server") + trivy "${args[@]}" + i=$((i + 1)) + done + { + echo "files<> $GITHUB_OUTPUT + echo "count=$i" >> $GITHUB_OUTPUT + env: + TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy + - name: Merge image SARIF files + if: steps.get-images.outputs.images != '[]' && steps.scan.outputs.count != '0' + uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4 + with: + files: ${{ steps.scan.outputs.files }} + output-file: image-sarif.json + - name: Ensure image SARIF exists (no images case) + if: steps.get-images.outputs.images == '[]' || steps.scan.outputs.count == '0' + run: | + echo '{"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","runs":[]}' > image-sarif.json + - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 + with: + name: image-sarif + path: image-sarif.json + + merge: + runs-on: ubuntu-latest + needs: [config-scan, image-scan] + if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images) + outputs: + merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }} + merged-sarif-path: ${{ steps.outputs.outputs.merged-sarif-path }} + steps: + - name: Require at least one scan + if: ${{ !inputs.scan-config && !inputs.scan-images }} + run: | + echo "Enable scan-config and/or scan-images (and provide image-scan-files for image scan)." + exit 1 + - name: Download config SARIF + if: inputs.scan-config + uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 + with: + name: config-sarif + path: config-sarif-artifact + - name: Download image SARIF + if: inputs.scan-images + uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 + with: + name: image-sarif + path: image-sarif-artifact + - name: Build merge file list + id: file-list + run: | + files="" + if [ "${{ inputs.scan-config }}" = "true" ] && [ -f config-sarif-artifact/config-sarif.json ]; then + files="- config-sarif-artifact/config-sarif.json" + fi + if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then + [ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json" + fi + echo "files<> "$GITHUB_OUTPUT" + echo "$files" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + - name: Merge SARIF files + id: merge-step + uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4 + with: + files: ${{ steps.file-list.outputs.files }} + output-file: merged-sarif.json + - name: Set outputs + id: outputs + run: | + echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT" + echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT" + - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 + with: + name: merged-sarif + path: merged-sarif.json diff --git a/README.md b/README.md index f1dc90d..5e1a67d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,93 @@ -# trivy-workflows +# Trivy Workflows +## Run Trivy Scan (reusable workflow) + +Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`). + +**Workflow file:** [../.gitea/workflows/run-trivy-scan.yaml](../.gitea/workflows/run-trivy-scan.yaml) + +## Usage + +### Call from another workflow (same repo) + +```yaml +jobs: + trivy: + uses: ./.gitea/workflows/run-trivy-scan.yaml + with: + scan-config: true + scan-images: true + image-scan-files: | + - k8s/31_deployment_redis.yaml + - k8s/32_deployment_gitea.yaml + - dockers/runner/compose.yaml + trivy-server-url: ${{ vars.TRIVY_SERVER_URL }} + use-sarif: + needs: trivy + runs-on: ubuntu-latest + steps: + - name: Download merged SARIF + uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 + with: + name: ${{ needs.trivy.outputs.merged-sarif-artifact }} + path: sarif + # Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }} + # - uses: .../tas-upload-sarif@... + # with: + # sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }} +``` + +### Call from another repository + +Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../trivy-actions/run-trivy-scan@ref`. + +**With absolute URL:** +```yaml +jobs: + trivy: + uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5 + with: + ref: 1.4.5 # use same ref as in 'uses' so actions load from trivy-actions + scan-config: true + scan-images: true + image-scan-files: | + - k8s/31_deployment_redis.yaml + trivy-server-url: ${{ vars.TRIVY_SERVER_URL }} +``` + +**With owner/repo path** (same server as the caller): +```yaml +jobs: + trivy: + uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5 + with: + ref: 1.4.5 # use same ref as in 'uses' + scan-config: true + scan-images: true + image-scan-files: | + - k8s/31_deployment_redis.yaml +``` + +When calling from another repo, pass **`ref`** with the same ref as in the workflow path (e.g. `@1.4.5` or commit SHA). The workflow checks out trivy-actions at that ref into `trivy-actions/` and then uses the actions from that checkout (e.g. `./trivy-actions/setup-trivy`). + +### Inputs + +| Input | Type | Default | Description | +| ------------------- | ------- | ------- | ----------- | +| `scan-config` | boolean | false | Run Trivy config scan on the repository root. | +| `scan-images` | boolean | false | Run Trivy image scan on images from `image-scan-files`. | +| `image-scan-files` | string | "" | YAML list of files to extract container images from. | +| `trivy-server-url` | string | "" | Optional Trivy server URL for image scan. | +| `ref` | string | "main" | Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo. | +| `repository-url` | string | "https://gitea.t000-n.de/t.behrendt/trivy-actions.git" | Clone URL for trivy-actions; for private repos use a URL with token or SSH. | + +At least one of `scan-config` or `scan-images` must be true. If `scan-images` is true, set `image-scan-files`. + +### Outputs + +| Output | Description | +| ------------------------ | ----------- | +| `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). | +| `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). | + +After downloading the artifact, the merged SARIF file is at `/${{ needs..outputs.merged-sarif-path }}`.