t.behrendt/sec-workflows
1
0
Fork 0
Code Issues 2 Pull Requests 4 Actions Releases Activity
Files
4b9138d8f8e5064d2953b4b2b7afda38407dcd0f
sec-workflows/.gitea/workflows/run-trivy-scan.yaml
Timo Behrendt 4b9138d8f8
All checks were successful
CD / Release (push) Successful in 22s
Details
feat: add run-trivy-scan (#2) 
Reviewed-on: t.behrendt/trivy-workflows#2
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
2026-02-25 22:30:42 +01:00

166 lines
6.7 KiB
YAML
Raw Blame History

name: Run Trivy Scan
on:
workflow_call:
inputs:
scan-config:
description: "Run Trivy config scan (repository root)."
required: false
type: boolean
default: false
scan-images:
description: "Run Trivy image scan on images from image-scan-files."
required: false
type: boolean
default: false
image-scan-files:
description: "YAML list of files to extract container images from. Used when scan-images is true."
required: false
type: string
default: ""
trivy-server-url:
description: "Optional Trivy server URL for image scan."
required: false
type: string
default: ""
outputs:
merged-sarif-artifact:
description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
value: ${{ jobs.merge.outputs.merged-sarif-artifact }}
merged-sarif-path:
description: "Path to the merged SARIF file inside the artifact (merged-sarif.json)."
value: ${{ jobs.merge.outputs.merged-sarif-path }}
jobs:
config-scan:
if: inputs.scan-config
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4
- run: |
trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
env:
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: config-sarif
path: config-sarif.json
image-scan:
if: inputs.scan-images
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4
- name: Get images from files
id: get-images
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.4
with:
files: ${{ inputs.image-scan-files }}
- name: Pull images
if: steps.get-images.outputs.images != '[]'
run: |
set -e
images='${{ steps.get-images.outputs.images }}'
for img in $(echo "$images" | jq -r '.[]'); do
docker pull "$img"
done
- name: Scan images
id: scan
if: steps.get-images.outputs.images != '[]'
run: |
set -e
images='${{ steps.get-images.outputs.images }}'
count=$(echo "$images" | jq 'length')
if [ "$count" -eq 0 ]; then
echo "count=0" >> "$GITHUB_OUTPUT"
exit 0
fi
i=0
server="${{ inputs.trivy-server-url }}"
for img in $(echo "$images" | jq -r '.[]'); do
args=(image --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img")
[ -n "$server" ] && args+=(--server "$server")
trivy "${args[@]}"
i=$((i + 1))
done
{
echo "files<<EOF"
for j in $(seq 0 $((i - 1))); do echo " - sarif-image-${j}.json"; done
echo "EOF"
} >> $GITHUB_OUTPUT
echo "count=$i" >> $GITHUB_OUTPUT
env:
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
- name: Merge image SARIF files
if: steps.get-images.outputs.images != '[]' && steps.scan.outputs.count != '0'
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4
with:
files: ${{ steps.scan.outputs.files }}
output-file: image-sarif.json
- name: Ensure image SARIF exists (no images case)
if: steps.get-images.outputs.images == '[]' || steps.scan.outputs.count == '0'
run: |
echo '{"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","runs":[]}' > image-sarif.json
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: image-sarif
path: image-sarif.json
merge:
runs-on: ubuntu-latest
needs: [config-scan, image-scan]
if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
outputs:
merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
merged-sarif-path: ${{ steps.outputs.outputs.merged-sarif-path }}
steps:
- name: Require at least one scan
if: ${{ !inputs.scan-config && !inputs.scan-images }}
run: |
echo "Enable scan-config and/or scan-images (and provide image-scan-files for image scan)."
exit 1
- name: Download config SARIF
if: inputs.scan-config
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
with:
name: config-sarif
path: config-sarif-artifact
- name: Download image SARIF
if: inputs.scan-images
uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
with:
name: image-sarif
path: image-sarif-artifact
- name: Build merge file list
id: file-list
run: |
files=""
if [ "${{ inputs.scan-config }}" = "true" ] && [ -f config-sarif-artifact/config-sarif.json ]; then
files="- config-sarif-artifact/config-sarif.json"
fi
if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
[ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
fi
echo "files<<EOF" >> "$GITHUB_OUTPUT"
echo "$files" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- name: Merge SARIF files
id: merge-step
uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.4
with:
files: ${{ steps.file-list.outputs.files }}
output-file: merged-sarif.json
- name: Set outputs
id: outputs
run: |
echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT"
echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT"
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: merged-sarif
path: merged-sarif.json
Reference in New Issue View Git Blame Copy Permalink