Option to fail only on critical CVE but also display all CVE in the table?

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities

Apache License 2.0

807 stars 234 forks source link

Option to fail only on critical CVE but also display all CVE in the table? #187

Open nat-ray opened 1 year ago

nat-ray commented 1 year ago

I have the following set in my workflow:

        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.image_name }}:${{ env.TAG_NAME }}'
          exit: '1'
          severity: 'CRITICAL'

I only want the workflow to fail if a critical CVE is found. It works for my use case, but I would like it to display all CVE in my docker image (unknown,low,medium,high,critical) in the table output. Is this possible?

TomaszOrchowskiCodibly commented 1 year ago

I got around this with something like

      - name: Scan image with trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.image_name }}:${{ env.TAG_NAME }}'
          output: 'trivy-image-scan-results.sarif'
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-image-scan-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi