From 9973ffe899d47effe0fc7e4f515a725508d4b6d4 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Thu, 26 Feb 2026 21:13:29 +0100 Subject: [PATCH 1/3] feat: add fs scan --- .gitea/workflows/run-trivy-scan.yaml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/run-trivy-scan.yaml b/.gitea/workflows/run-trivy-scan.yaml index 4d9c1fa..382c973 100644 --- a/.gitea/workflows/run-trivy-scan.yaml +++ b/.gitea/workflows/run-trivy-scan.yaml @@ -23,6 +23,11 @@ on: required: false type: string default: "" + scan-fs: + description: "Run Trivy file system scan on the repository root." + required: false + type: boolean + default: false outputs: merged-sarif-artifact: description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)." @@ -110,9 +115,25 @@ jobs: name: image-sarif path: image-sarif.json + fs-scan: + if: inputs.scan-fs + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 + - run: | + trivy fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln . + env: + TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy + - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 + with: + name: fs-sarif + path: fs-sarif.json + merge: runs-on: ubuntu-latest - needs: [config-scan, image-scan] + needs: [config-scan, image-scan, fs-scan] if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images) outputs: merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }} @@ -145,6 +166,9 @@ jobs: if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then [ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json" fi + if [ "${{ inputs.scan-fs }}" = "true" ] && [ -f fs-sarif-artifact/fs-sarif.json ]; then + [ -n "$files" ] && files="$files"$'\n'" - fs-sarif-artifact/fs-sarif.json" || files="- fs-sarif-artifact/fs-sarif.json" + fi echo "files<> "$GITHUB_OUTPUT" echo "$files" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" -- 2.49.1 From fe4fa79289aab8c0a32a8695c1e92798bb1a93e5 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Thu, 26 Feb 2026 21:56:48 +0100 Subject: [PATCH 2/3] bump trivy-actions to image fixed version --- .gitea/workflows/run-trivy-scan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/run-trivy-scan.yaml b/.gitea/workflows/run-trivy-scan.yaml index 382c973..c07a2bc 100644 --- a/.gitea/workflows/run-trivy-scan.yaml +++ b/.gitea/workflows/run-trivy-scan.yaml @@ -120,8 +120,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4 - - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5 + - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5 - run: | trivy fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln . env: @@ -130,7 +130,7 @@ jobs: with: name: fs-sarif path: fs-sarif.json - + merge: runs-on: ubuntu-latest needs: [config-scan, image-scan, fs-scan] -- 2.49.1 From 97ed0a241c52e8ce2fe90ae3b2c551d7256858a3 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Thu, 26 Feb 2026 21:58:46 +0100 Subject: [PATCH 3/3] pass server arg on fs scan --- .gitea/workflows/run-trivy-scan.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/run-trivy-scan.yaml b/.gitea/workflows/run-trivy-scan.yaml index c07a2bc..4c8c634 100644 --- a/.gitea/workflows/run-trivy-scan.yaml +++ b/.gitea/workflows/run-trivy-scan.yaml @@ -123,7 +123,10 @@ jobs: - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5 - run: | - trivy fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln . + server="${{ inputs.trivy-server-url }}" + args=(fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln .) + [ -n "$server" ] && args+=(--server "$server") + trivy "${args[@]}" env: TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 -- 2.49.1