# Trivy Workflows ## Run Trivy Scan (reusable workflow) Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`). **Workflow file:** [../.gitea/workflows/run-trivy-scan.yaml](../.gitea/workflows/run-trivy-scan.yaml) ## Usage ### Call from another workflow (same repo) ```yaml jobs: trivy: uses: ./.gitea/workflows/run-trivy-scan.yaml with: scan-config: true scan-images: true image-scan-files: | - k8s/31_deployment_redis.yaml - k8s/32_deployment_gitea.yaml - dockers/runner/compose.yaml trivy-server-url: ${{ vars.TRIVY_SERVER_URL }} use-sarif: needs: trivy runs-on: ubuntu-latest steps: - name: Download merged SARIF uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 with: name: ${{ needs.trivy.outputs.merged-sarif-artifact }} path: sarif # Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }} # - uses: .../tas-upload-sarif@... # with: # sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }} ``` ### Call from another repository Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../trivy-actions/run-trivy-scan@ref`. **With absolute URL:** ```yaml jobs: trivy: uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5 with: ref: 1.4.5 # use same ref as in 'uses' so actions load from trivy-actions scan-config: true scan-images: true image-scan-files: | - k8s/31_deployment_redis.yaml trivy-server-url: ${{ vars.TRIVY_SERVER_URL }} ``` **With owner/repo path** (same server as the caller): ```yaml jobs: trivy: uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5 with: ref: 1.4.5 # use same ref as in 'uses' scan-config: true scan-images: true image-scan-files: | - k8s/31_deployment_redis.yaml ``` When calling from another repo, pass **`ref`** with the same ref as in the workflow path (e.g. `@1.4.5` or commit SHA). The workflow checks out trivy-actions at that ref into `trivy-actions/` and then uses the actions from that checkout (e.g. `./trivy-actions/setup-trivy`). ### Inputs | Input | Type | Default | Description | | ------------------- | ------- | ------- | ----------- | | `scan-config` | boolean | false | Run Trivy config scan on the repository root. | | `scan-images` | boolean | false | Run Trivy image scan on images from `image-scan-files`. | | `image-scan-files` | string | "" | YAML list of files to extract container images from. | | `trivy-server-url` | string | "" | Optional Trivy server URL for image scan. | | `ref` | string | "main" | Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo. | | `repository-url` | string | "https://gitea.t000-n.de/t.behrendt/trivy-actions.git" | Clone URL for trivy-actions; for private repos use a URL with token or SSH. | At least one of `scan-config` or `scan-images` must be true. If `scan-images` is true, set `image-scan-files`. ### Outputs | Output | Description | | ------------------------ | ----------- | | `merged-sarif-artifact` | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). | | `merged-sarif-path` | Path to the file inside that artifact (e.g. `merged-sarif.json`). | After downloading the artifact, the merged SARIF file is at `/${{ needs..outputs.merged-sarif-path }}`.