.github/workflows/trivy.yml

---
#
# This workflow runs Trivy on a Docker image
# It can pull the image from a container registry
# or download a tar file.  The latter is used
# to check a container image prior to publishing
# to the registry.

name: Run Trivy on a Docker image and push results to GitHub

on:
  workflow_call:
    inputs:
      SOURCE_TYPE: # 'tar' or 'image'
        required: true
        type: string
      TARFILE_NAME: # only used if SOURCE_TYPE=='tar'
        required: false
        type: string
      IMAGE_NAME:
        required: true
        type: string
      EXIT_CODE:
        required: false
        type: number

env:
  sarif_file_name: trivy-results.sarif

jobs:
  trivy:
    name: Trivy
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Download tar file
        id: tar-download
        uses: actions/download-artifact@v4
        if: ${{ inputs.SOURCE_TYPE == 'tar' }}
        with:
          name: ${{ inputs.TARFILE_NAME }}
          path: /tmp

      - name: load docker image from tar file
        if: ${{ inputs.SOURCE_TYPE == 'tar' }}
        run: cat ${{ steps.tar-download.outputs.download-path
          }}/${{ inputs.TARFILE_NAME
          }} | docker import - ${{ inputs.IMAGE_NAME }}

      - name: Run Trivy vulnerability scanner for any major issues
        uses: aquasecurity/trivy-action@0.24.0
        id: trivy
        with:
          image-ref: ${{ inputs.IMAGE_NAME }}
          ignore-unfixed: true # skip vul'ns for which there is no fix
          # list files to skip, each with a justification
          #skip-files: |
          severity: 'CRITICAL,HIGH'
          format: 'sarif'
          # only output findings for configured severities
          limit-severities-for-sarif: true
          output: ${{ env.sarif_file_name  }}
          exit-code: ${{ inputs.EXIT_CODE }}

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3.25.12
        # This is the recommended way to upload scan results
        # after Trivy exits with HIGH/CRITICAL findings
        # See https://github.com/aquasecurity/trivy-action?\
        # tab=readme-ov-file#using-trivy-with-github-code-scanning
        if: ${{ success() || steps.trivy.conclusion=='failure' }}
        with:
          sarif_file: ${{ env.sarif_file_name  }}
          wait-for-processing: true
...