Go to file

CD / Release (push) Has been cancelled

Details

chore(deps): update https://gitea.t000-n.de/t.behrendt/trivy-actions action to v1.4.7 (#10 )

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://gitea.t000-n.de/t.behrendt/trivy-actions](https://gitea.t000-n.de/t.behrendt/trivy-actions) | action | patch | `1.4.5` → `1.4.7` |

---

### Release Notes

<details>
<summary>t.behrendt/trivy-actions (https://gitea.t000-n.de/t.behrendt/trivy-actions)</summary>

### [`v1.4.7`](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.6...1.4.7)

[Compare Source](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.6...1.4.7)

### [`v1.4.6`](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.5...1.4.6)

[Compare Source](https://gitea.t000-n.de/t.behrendt/trivy-actions/compare/1.4.5...1.4.6)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjQiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImFjdGlvbiIsImRlcHMiXX0=-->

Reviewed-on: t.behrendt/trivy-workflows#10
Reviewed-by: t.behrendt <t.behrendt@noreply.localhost>
Co-authored-by: Renovate Bot <renovate@t00n.de>
Co-committed-by: Renovate Bot <renovate@t00n.de>

2026-03-15 21:52:47 +01:00

.gitea/workflows

chore(deps): update https://gitea.t000-n.de/t.behrendt/trivy-actions action to v1.4.7 (#10 )

2026-03-15 21:52:47 +01:00

README.md

feat: add run-trivy-scan (#2 )

2026-02-25 22:30:42 +01:00

renovate.json

ci: bootstrap (#1 )

2026-02-25 22:11:24 +01:00

README.md

Trivy Workflows

Run Trivy Scan (reusable workflow)

Reusable workflow that optionally runs Trivy config and/or image scan, merges the SARIF results, and exposes the merged file as an artifact. It does not upload to TAS; callers download the artifact and use it (e.g. with tas-upload-sarif).

Workflow file: ../.gitea/workflows/run-trivy-scan.yaml

Usage

Call from another workflow (same repo)

jobs:
  trivy:
    uses: ./.gitea/workflows/run-trivy-scan.yaml
    with:
      scan-config: true
      scan-images: true
      image-scan-files: |
        - k8s/31_deployment_redis.yaml
        - k8s/32_deployment_gitea.yaml
        - dockers/runner/compose.yaml
      trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}
  use-sarif:
    needs: trivy
    runs-on: ubuntu-latest
    steps:
      - name: Download merged SARIF
        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
        with:
          name: ${{ needs.trivy.outputs.merged-sarif-artifact }}
          path: sarif
      # Path to file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}
      # - uses: .../tas-upload-sarif@...
      #   with:
      #     sarif-file: sarif/${{ needs.trivy.outputs.merged-sarif-path }}

Call from another repository

Use the full workflow path including .gitea/workflows/ and the filename. Gitea does not accept a bare repo path like .../trivy-actions/run-trivy-scan@ref.

With absolute URL:

jobs:
  trivy:
    uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
    with:
      ref: 1.4.5   # use same ref as in 'uses' so actions load from trivy-actions
      scan-config: true
      scan-images: true
      image-scan-files: |
        - k8s/31_deployment_redis.yaml
      trivy-server-url: ${{ vars.TRIVY_SERVER_URL }}

With owner/repo path (same server as the caller):

jobs:
  trivy:
    uses: t.behrendt/trivy-actions/.gitea/workflows/run-trivy-scan.yaml@1.4.5
    with:
      ref: 1.4.5   # use same ref as in 'uses'
      scan-config: true
      scan-images: true
      image-scan-files: |
        - k8s/31_deployment_redis.yaml

When calling from another repo, pass ref with the same ref as in the workflow path (e.g. @1.4.5 or commit SHA). The workflow checks out trivy-actions at that ref into trivy-actions/ and then uses the actions from that checkout (e.g. ./trivy-actions/setup-trivy).

Inputs

Input	Type	Default	Description
`scan-config`	boolean	false	Run Trivy config scan on the repository root.
`scan-images`	boolean	false	Run Trivy image scan on images from `image-scan-files`.
`image-scan-files`	string	""	YAML list of files to extract container images from.
`trivy-server-url`	string	""	Optional Trivy server URL for image scan.
`ref`	string	"main"	Git ref to checkout (branch, tag, or SHA); use the same ref as in the workflow path when calling from another repo.
`repository-url`	string	"https://gitea.t000-n.de/t.behrendt/trivy-actions.git"	Clone URL for trivy-actions; for private repos use a URL with token or SSH.

At least one of scan-config or scan-images must be true. If scan-images is true, set image-scan-files.

Outputs

Output	Description
`merged-sarif-artifact`	Artifact name to pass to `download-artifact` (e.g. `merged-sarif`).
`merged-sarif-path`	Path to the file inside that artifact (e.g. `merged-sarif.json`).

After downloading the artifact, the merged SARIF file is at <download-path>/${{ needs.<job>.outputs.merged-sarif-path }}.