feat: add run-trivy-scan

2026-02-25 22:12:09 +01:00
2 changed files with 257 additions and 1 deletions
--- a/.gitea/workflows/run-trivy-scan.yaml
+++ b/.gitea/workflows/run-trivy-scan.yaml
@@ -0,0 +1,165 @@
+name: Run Trivy Scan
+
+on:
+  workflow_call:
+    inputs:
+      scan-config:
+        description: "Run Trivy config scan (repository root)."
+        required: false
+        type: boolean
+        default: false
+      scan-images:
+        description: "Run Trivy image scan on images from image-scan-files."
+        required: false
+        type: boolean
+        default: false
+      image-scan-files:
+        description: "YAML list of files to extract container images from. Used when scan-images is true."
+        required: false
+        type: string
+        default: ""
+      trivy-server-url:
+        description: "Optional Trivy server URL for image scan."
+        required: false
+        type: string
+        default: ""
+    outputs:
+      merged-sarif-artifact:
+        description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
+        value: ${{ jobs.merge.outputs.merged-sarif-artifact }}
+      merged-sarif-path:
+        description: "Path to the merged SARIF file inside the artifact (merged-sarif.json)."
+        value: ${{ jobs.merge.outputs.merged-sarif-path }}
+
+jobs:
+  config-scan:
+    if: inputs.scan-config
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4
+      - run: |
+          trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: config-sarif
+          path: config-sarif.json
+
+  image-scan:
+    if: inputs.scan-images
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 
+      - name: Get images from files
+        id: get-images
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.4
+        with:
+          files: ${{ inputs.image-scan-files }}
+      - name: Pull images
+        if: steps.get-images.outputs.images != '[]'
+        run: |
+          set -e
+          images='${{ steps.get-images.outputs.images }}'
+          for img in $(echo "$images" | jq -r '.[]'); do
+            docker pull "$img"
+          done
+      - name: Scan images
+        id: scan
+        if: steps.get-images.outputs.images != '[]'
+        run: |
+          set -e
+          images='${{ steps.get-images.outputs.images }}'
+          count=$(echo "$images" | jq 'length')
+          if [ "$count" -eq 0 ]; then
+            echo "count=0" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          i=0
+          server="${{ inputs.trivy-server-url }}"
+          for img in $(echo "$images" | jq -r '.[]'); do
+            args=(image --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img")
+            [ -n "$server" ] && args+=(--server "$server")
+            trivy "${args[@]}"
+            i=$((i + 1))
+          done
+          {
+            echo "files<<EOF"
+            for j in $(seq 0 $((i - 1))); do echo "  - sarif-image-${j}.json"; done
+            echo "EOF"
+          } >> $GITHUB_OUTPUT
+          echo "count=$i" >> $GITHUB_OUTPUT
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - name: Merge image SARIF files
+        if: steps.get-images.outputs.images != '[]' && steps.scan.outputs.count != '0'
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4
+        with:
+          files: ${{ steps.scan.outputs.files }}
+          output-file: image-sarif.json
+      - name: Ensure image SARIF exists (no images case)
+        if: steps.get-images.outputs.images == '[]' || steps.scan.outputs.count == '0'
+        run: |
+          echo '{"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","runs":[]}' > image-sarif.json
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: image-sarif
+          path: image-sarif.json
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: [config-scan, image-scan]
+    if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
+    outputs:
+      merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
+      merged-sarif-path: ${{ steps.outputs.outputs.merged-sarif-path }}
+    steps:
+      - name: Require at least one scan
+        if: ${{ !inputs.scan-config && !inputs.scan-images }}
+        run: |
+          echo "Enable scan-config and/or scan-images (and provide image-scan-files for image scan)."
+          exit 1
+      - name: Download config SARIF
+        if: inputs.scan-config
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: config-sarif
+          path: config-sarif-artifact
+      - name: Download image SARIF
+        if: inputs.scan-images
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: image-sarif
+          path: image-sarif-artifact
+      - name: Build merge file list
+        id: file-list
+        run: |
+          files=""
+          if [ "${{ inputs.scan-config }}" = "true" ] && [ -f config-sarif-artifact/config-sarif.json ]; then
+            files="- config-sarif-artifact/config-sarif.json"
+          fi
+          if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
+            [ -n "$files" ] && files="$files"$'\n'"  - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
+          fi
+          echo "files<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$files" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+      - name: Merge SARIF files
+        id: merge-step
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4
+        with:
+          files: ${{ steps.file-list.outputs.files }}
+          output-file: merged-sarif.json
+      - name: Set outputs
+        id: outputs
+        run: |
+          echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT"
+          echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT"
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: merged-sarif
+          path: merged-sarif.json
--- a/README.md
+++ b/README.md
@@ -1,2 +1,93 @@
-# trivy-workflows
+# Trivy Workflows

+## Run Trivy Scan (reusable workflow)
+
+Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`).
+
+**Workflow file:** [../.gitea/workflows/run-trivy-scan.yaml](../.gitea/workflows/run-trivy-scan.yaml)
+
+## Usage
+
+### Call from another workflow (same repo)
+
+```yaml
+jobs:
+  trivy:
+    uses: ./.gitea/workflows/run-trivy-scan.yaml
+    with:
+      scan-config: true
+      scan-images: true
+      image-scan-files: |
+        - k8s/31_deployment_redis.yaml
+        - k8s/32_deployment_gitea.yaml
+        - dockers/runner/compose.yaml
+      trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
+  use-sarif:
+    needs: trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download merged SARIF
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: ${{ needs.trivy.outputs.merged-sarif-artifact }}
+          path: sarif
+      # Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
+      # - uses: .../tas-upload-sarif@...
+      #   with:
+      #     sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
+```
+
+### Call from another repository
+
+Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../trivy-actions/run-trivy-scan@ref`.
+
+**With absolute URL:**
+```yaml
+jobs:
+  trivy:
+    uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
+    with:
+      ref: 1.4.5   # use same ref as in 'uses' so actions load from trivy-actions
+      scan-config: true
+      scan-images: true
+      image-scan-files: |
+        - k8s/31_deployment_redis.yaml
+      trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
+```
+
+**With owner/repo path** (same server as the caller):
+```yaml
+jobs:
+  trivy:
+    uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
+    with:
+      ref: 1.4.5   # use same ref as in 'uses'
+      scan-config: true
+      scan-images: true
+      image-scan-files: |
+        - k8s/31_deployment_redis.yaml
+```
+
+When calling from another repo, pass **`ref`** with the same ref as in the workflow path (e.g. `@1.4.5` or commit SHA). The workflow checks out trivy-actions at that ref into `trivy-actions/` and then uses the actions from that checkout (e.g. `./trivy-actions/setup-trivy`).
+
+### Inputs
+
+| Input               | Type    | Default | Description |
+| ------------------- | ------- | ------- | ----------- |
+| `scan-config`       | boolean | false   | Run Trivy config scan on the repository root. |
+| `scan-images`       | boolean | false   | Run Trivy image scan on images from `image-scan-files`. |
+| `image-scan-files`  | string  | ""      | YAML list of files to extract container images from. |
+| `trivy-server-url`  | string  | ""      | Optional Trivy server URL for image scan. |
+| `ref`               | string  | "main"  | Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo. |
+| `repository-url`    | string  | "https://gitea.t000-n.de/t.behrendt/trivy-actions.git" | Clone URL for trivy-actions; for private repos use a URL with token or SSH. |
+
+At least one of `scan-config` or `scan-images` must be true. If `scan-images` is true, set `image-scan-files`.
+
+### Outputs
+
+| Output                   | Description |
+| ------------------------ | ----------- |
+| `merged-sarif-artifact`  | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). |
+| `merged-sarif-path`      | Path to the file inside that artifact (e.g. `merged-sarif.json`). |
+
+After downloading the artifact, the merged SARIF file is at `<download-path>/${{ needs.<job>.outputs.merged-sarif-path }}`.