From 5186bbd543ae3062850395e0e204d39e22f9bd70 Mon Sep 17 00:00:00 2001 From: Maxim-Durand <72691393+Maxim-Durand@users.noreply.github.com> Date: Mon, 12 Feb 2024 12:30:32 -0500 Subject: [PATCH 1/3] Improved documentation with details on how to send output as an artifact on Github and giving an example of a private image scan --- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/README.md b/README.md index 284d520..6b3c759 100644 --- a/README.md +++ b/README.md @@ -337,6 +337,48 @@ jobs: github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT ``` +When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance. +You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact): + +```yaml +--- +name: Pull Request +on: + push: + branches: + - main + +## GITHUB_TOKEN authentication, add only if you're not going to use a PAT +permissions: + contents: write + +jobs: + build: + name: Checks + runs-on: ubuntu-20.04 + steps: + - name: Scan image in a private registry + uses: aquasecurity/trivy-action@master + with: + image-ref: "private_image_registry/image_name:image_tag" + scan-type: image + format: 'github' + output: 'dependency-results.sbom.json' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + severity: "MEDIUM,HIGH,CRITICAL" + scanners: "vuln" + env: + TRIVY_USERNAME: "REDACTED" + TRIVY_PASSWORD: "REDACTED" + + - name: Upload Build Artifacts + uses: actions/upload-artifact@v4 + with: + name: trivy-sbom-report + path: '${{ github.workspace }}/dependency-results.sbom.json' + retention-days: 20 # 90 is the default +``` + ### Using Trivy to scan your private registry It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars. From 3ad19cd9da19632bf1bcfb3f9be91737e27ffc67 Mon Sep 17 00:00:00 2001 From: Maxim-Durand <72691393+Maxim-Durand@users.noreply.github.com> Date: Mon, 12 Feb 2024 12:39:53 -0500 Subject: [PATCH 2/3] formatting --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6b3c759..12796d6 100644 --- a/README.md +++ b/README.md @@ -338,6 +338,7 @@ jobs: ``` When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance. + You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact): ```yaml @@ -368,8 +369,8 @@ jobs: severity: "MEDIUM,HIGH,CRITICAL" scanners: "vuln" env: - TRIVY_USERNAME: "REDACTED" - TRIVY_PASSWORD: "REDACTED" + TRIVY_USERNAME: "image_registry_admin_username" + TRIVY_PASSWORD: "image_registry_admin_password" - name: Upload Build Artifacts uses: actions/upload-artifact@v4 From ac8614fade73cee81739833992a3a4f7df22c642 Mon Sep 17 00:00:00 2001 From: Maxim-Durand <72691393+Maxim-Durand@users.noreply.github.com> Date: Mon, 12 Feb 2024 12:40:57 -0500 Subject: [PATCH 3/3] better name for job --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 12796d6..0d971f6 100644 --- a/README.md +++ b/README.md @@ -372,7 +372,7 @@ jobs: TRIVY_USERNAME: "image_registry_admin_username" TRIVY_PASSWORD: "image_registry_admin_password" - - name: Upload Build Artifacts + - name: Upload trivy report as a Github artifact uses: actions/upload-artifact@v4 with: name: trivy-sbom-report