name: Run TAS on: workflow_call: inputs: scan-config: description: "Scan the configuration files" required: false default: false type: boolean image-scan-files: description: "List of files to scan for images" required: false default: "" type: string pre-pull-images: description: "Pre-pull the images" required: false default: false type: boolean trivy-server: description: "Trivy server to use" required: false default: "https://trivy.gitea.t00n.de" type: string tas-base-url: description: "TAS base URL" required: false default: "https://tas.gitea.t00n.de" type: string repository-name: description: "Repository name" required: true type: string branch-name: description: "Branch name" required: true type: string repository-owner: description: "Repository owner" required: true type: string jobs: config-scan: runs-on: ubuntu-latest if: inputs.scan-config == true steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0 - run: | trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json . env: TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy - uses: https://github.com/christopherHX/gitea-upload-artifact@v4 with: name: config-sarif path: config-sarif.json image-scan: runs-on: ubuntu-latest if: inputs.image-scan-files != "" steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0 - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0 - name: Get Images From Files id: get-images uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.0 with: files: ${{ inputs.image-scan-files }} - name: Pull images if: inputs.pre-pull-images == true run: | set -e images='${{ steps.get-images.outputs.images }}' for img in $(echo "$images" | jq -r '.[]'); do docker pull "$img" done - name: Scan images id: scan run: | set -e images='${{ steps.get-images.outputs.images }}' count=$(echo "$images" | jq 'length') if [ "$count" -eq 0 ]; then echo "No images found" exit 1 fi i=0 for img in $(echo "$images" | jq -r '.[]'); do trivy image --cache-dir "$TRIVY_CACHE_DIR" --server ${{ inputs.trivy-server }} --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img" i=$((i + 1)) done { echo "files<> $GITHUB_OUTPUT echo "count=$i" >> $GITHUB_OUTPUT env: TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy - name: Merge image SARIF files if: steps.scan.outputs.count != '0' uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea with: files: ${{ steps.scan.outputs.files }} output-file: image-sarif.json - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4 with: name: image-sarif path: image-sarif.json merge-and-upload: runs-on: ubuntu-latest needs: [config-scan, image-scan] if: inputs.scan-config == true || inputs.image-scan-files != "" steps: - name: Download config SARIF uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 with: name: config-sarif path: config-sarif-artifact - name: Download image SARIF uses: https://github.com/ChristopherHX/gitea-download-artifact@v4 with: name: image-sarif path: image-sarif-artifact - name: Merge SARIF files uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea with: files: | - config-sarif-artifact/config-sarif.json - image-sarif-artifact/image-sarif.json output-file: sarif.json - uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@0.0.2 with: tas-base-url: ${{ inputs.tas-base-url }} sarif-file: sarif.json owner: ${{ inputs.repository-owner }} repo: ${{ inputs.repository-name }} branch: ${{ inputs.branch-name }}