trivy-scan/action.yaml

# yamllint disable rule:line-length
---
name: run trivy docker scan

description: use trivy to scan docker image for vulnerabilities

inputs:

  working-directory:
    description: set working directory. Default is ./.
    required: false
    default: "."

  registry:
    description: dtr compatible registry
    required: false
    default: docker.io

  organization:
    description: dtr compatible organization identified
    required: false
    default: ""

  image:
    description: name of image
    required: true

  tag:
    description: value for tag
    required: false
    default: dev.${GITHUB_SHA:0:7}

  trivy-severity:
    description: trivy scan reporting threshold
    required: false
    default: "LOW,MEDIUM,HIGH,CRITICAL"

  trivy-additional-args:
    description: additional custom command line flags
    required: false
    default: ""

  security-scan-nofail:
    description: >
      security scan revealing issues will not cause pipeline to fail,
      instead the scan output will be uploaded as a pipeline artifact
    required: false
    default: "false"

runs:
  using: "composite"

  steps:
    - name: trivy image scan
      working-directory: ${{ inputs.working-directory }}
      shell: bash
      run: |
        #!/usr/bin/env bash
        set -eo pipefail
        outfilename="${{ inputs.image }}_${{ inputs.tag }}_trivy_scan.log"
        echo "outfilename=$outfilename" >> $GITHUB_ENV

        exitcode="--exit-code 1"
        if [[ "${{ inputs.security-scan-nofail }}" == "true" ]]; then
          exitcode=""
        fi
        trivy image --severity ${{ inputs.trivy-severity }} \
                    $exitcode \
                    ${{ inputs.trivy-additional-args }} \
                    ${{ inputs.registry }}/${{ inputs.organization }}/${{ inputs.image }}:${{ inputs.tag }} 2>&1 | tee $outfilename \

    - name: upload trivy scan log as saved artifact
      if: ${{ inputs.security-scan-nofail == 'true' }}
      uses: actions/upload-artifact@v4
      with:
        name: ${{ env.outfilename }}
        path: ${{ env.outfilename }}
        retention-days: 7