name: Run Trivy Scan on: workflow_call: inputs: scan-config: description: "Run Trivy config scan (repository root)." required: false type: boolean default: false scan-images: description: "Run Trivy image scan on images from image-scan-files." required: false type: boolean default: false image-scan-files: description: "YAML list of files to extract container images from. Used when scan-images is true." required: false type: string default: "" trivy-server-url: description: "Optional Trivy server URL for image scan." required: false type: string default: "" outputs: merged-sarif-artifact: description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)." value: ${{ jobs.merge.outputs.merged-sarif-artifact }} merged-sarif-path: description: "Path to the merged SARIF file inside the artifact (merged-sarif.json)." value: ${{ jobs.merge.outputs.merged-sarif-path }} jobs: config-scan: if: inputs.scan-config runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 - run: | trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json . env: TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 with: name: config-sarif path: config-sarif.json image-scan: if: inputs.scan-images runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4 - name: Get images from files id: get-images uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.4 with: files: ${{ inputs.image-scan-files }} - name: Pull images if: steps.get-images.outputs.images != '[]' run: | set -e images='${{ steps.get-images.outputs.images }}' for img in $(echo "$images" | jq -r '.[]'); do docker pull "$img" done - name: Scan images id: scan if: steps.get-images.outputs.images != '[]' run: | set -e images='${{ steps.get-images.outputs.images }}' count=$(echo "$images" | jq 'length') if [ "$count" -eq 0 ]; then echo "count=0" >> "$GITHUB_OUTPUT" exit 0 fi i=0 server="${{ inputs.trivy-server-url }}" for img in $(echo "$images" | jq -r '.[]'); do args=(image --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img") [ -n "$server" ] && args+=(--server "$server") trivy "${args[@]}" i=$((i + 1)) done { echo "files<> $GITHUB_OUTPUT echo "count=$i" >> $GITHUB_OUTPUT env: TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy - name: Merge image SARIF files if: steps.get-images.outputs.images != '[]' && steps.scan.outputs.count != '0' uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4 with: files: ${{ steps.scan.outputs.files }} output-file: image-sarif.json - name: Ensure image SARIF exists (no images case) if: steps.get-images.outputs.images == '[]' || steps.scan.outputs.count == '0' run: | echo '{"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","runs":[]}' > image-sarif.json - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 with: name: image-sarif path: image-sarif.json merge: runs-on: ubuntu-latest needs: [config-scan, image-scan] if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images) outputs: merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }} merged-sarif-path: ${{ steps.outputs.outputs.merged-sarif-path }} steps: - name: Require at least one scan if: ${{ !inputs.scan-config && !inputs.scan-images }} run: | echo "Enable scan-config and/or scan-images (and provide image-scan-files for image scan)." exit 1 - name: Download config SARIF if: inputs.scan-config uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 with: name: config-sarif path: config-sarif-artifact - name: Download image SARIF if: inputs.scan-images uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 with: name: image-sarif path: image-sarif-artifact - name: Build merge file list id: file-list run: | files="" if [ "${{ inputs.scan-config }}" = "true" ] && [ -f config-sarif-artifact/config-sarif.json ]; then files="- config-sarif-artifact/config-sarif.json" fi if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then [ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json" fi echo "files<> "$GITHUB_OUTPUT" echo "$files" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" - name: Merge SARIF files id: merge-step uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4 with: files: ${{ steps.file-list.outputs.files }} output-file: merged-sarif.json - name: Set outputs id: outputs run: | echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT" echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT" - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 with: name: merged-sarif path: merged-sarif.json