sec-workflows/README.md

# Trivy Workflows

## Run Trivy Scan (reusable workflow)

Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does **not** upload to TAS; callers download the artifact and use it (e.g. with `tas-upload-sarif`).

**Workflow file:** [../.gitea/workflows/run-trivy-scan.yaml](../.gitea/workflows/run-trivy-scan.yaml)

## Usage

### Call from another workflow (same repo)

```yaml
jobs:
  trivy:
    uses: ./.gitea/workflows/run-trivy-scan.yaml
    with:
      scan-config: true
      scan-images: true
      image-scan-files: |
        - k8s/31_deployment_redis.yaml
        - k8s/32_deployment_gitea.yaml
        - dockers/runner/compose.yaml
      trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
  use-sarif:
    needs: trivy
    runs-on: ubuntu-latest
    steps:
      - name: Download merged SARIF
        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
        with:
          name: ${{ needs.trivy.outputs.merged-sarif-artifact }}
          path: sarif
      # Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
      # - uses: .../tas-upload-sarif@...
      #   with:
      #     sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
```

### Call from another repository

Use the **full workflow path** including `.gitea/workflows/` and the filename. Gitea does not accept a bare repo path like `.../trivy-actions/run-trivy-scan@ref`.

**With absolute URL:**
```yaml
jobs:
  trivy:
    uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
    with:
      ref: 1.4.5   # use same ref as in 'uses' so actions load from trivy-actions
      scan-config: true
      scan-images: true
      image-scan-files: |
        - k8s/31_deployment_redis.yaml
      trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
```

**With owner/repo path** (same server as the caller):
```yaml
jobs:
  trivy:
    uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
    with:
      ref: 1.4.5   # use same ref as in 'uses'
      scan-config: true
      scan-images: true
      image-scan-files: |
        - k8s/31_deployment_redis.yaml
```

When calling from another repo, pass **`ref`** with the same ref as in the workflow path (e.g. `@1.4.5` or commit SHA). The workflow checks out trivy-actions at that ref into `trivy-actions/` and then uses the actions from that checkout (e.g. `./trivy-actions/setup-trivy`).

### Inputs

| Input               | Type    | Default | Description |
| ------------------- | ------- | ------- | ----------- |
| `scan-config`       | boolean | false   | Run Trivy config scan on the repository root. |
| `scan-images`       | boolean | false   | Run Trivy image scan on images from `image-scan-files`. |
| `image-scan-files`  | string  | ""      | YAML list of files to extract container images from. |
| `trivy-server-url`  | string  | ""      | Optional Trivy server URL for image scan. |
| `ref`               | string  | "main"  | Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo. |
| `repository-url`    | string  | "https://gitea.t000-n.de/t.behrendt/trivy-actions.git" | Clone URL for trivy-actions; for private repos use a URL with token or SSH. |

At least one of `scan-config` or `scan-images` must be true. If `scan-images` is true, set `image-scan-files`.

### Outputs

| Output                   | Description |
| ------------------------ | ----------- |
| `merged-sarif-artifact`  | Artifact name to pass to `download-artifact` (e.g. `merged-sarif`). |
| `merged-sarif-path`      | Path to the file inside that artifact (e.g. `merged-sarif.json`). |

After downloading the artifact, the merged SARIF file is at `<download-path>/${{ needs.<job>.outputs.merged-sarif-path }}`.