Issue with Targeted IaC and SAST Scanning in Trivy Action

[ameurmeddeb-zero]

I'm encountering an issue where Trivy scans the entire repository instead of just the changed files or the latest commits.

I initially attempted the fetch-depth: 1 method in the checkout action, but this did not limit the scan to recent changes. Subsequently, I tried the shallow cloning approach i have used with TruffleHog, but Trivy still scanned the entire repository instead of focusing on the modified files (new commits).

What am I doing wrong or how else can I achieve my goal (scanning only the changed files and the pushed code)?

I am not able to scan with trivy just the changed files/ lastest commits. On Every Scan the whole Repo is scanned.

What i am doing wrong or can i achieve my intention ?

I have first tested with the Checkout fetch-depth: 1 Way, was not working

` name: IaC scan runs-on: ubuntu-latest steps:

• uses: actions/checkout@v4 name: Checkout with: fetch-depth: 1

• name: Run Trivy static analysis uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scanners: 'config' ignore-unfixed: false format: 'table' vuln-type: 'os,library' severity: 'CRITICAL' `

` name: IAC Scan with Trivy runs-on: ubuntu-latest steps:

• name: File Change Detection shell: bash run: | if [ "${{ github.event_name }}" == "push" ]; then echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV fi if [ "${{ github.event_name }}" == "pull_request" ]; then echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV fi

• uses: actions/checkout@v4 with: ref: ${{env.branch}} fetch-depth: ${{env.depth}}

• name: Run Trivy static analysis uses: aquasecurity/trivy-action@master with: scan-type: 'fs' format: 'table' severity: 'CRITICAL,HIGH' `

[kderck]

Hi @ameurmeddeb-zero. I don't think this is possible with trivy, trivy fs will scan all files and directories recursively, If you wanted to scan just Terraform you could do trivy config (scan-type: config). The fetch with --depth will still include all of the files from your git repository, However, the git history will be incomplete.

You could possibly do this by using git diff on the current versus the last commit? and by piping the paths into Trivy. But I don't see why this would be useful.

[velvetzhero]

Hello @kderck :wave: I need to create the same functionality: having trivy to run solely on the committed files. I understand this may be not a part of the action feature, and it is more focus on having a periodic full scan, that would report back to github code scanning. ref.

Having a closer look, it looks like the code can easily be patched by adding an additional command[ line argument for a file path ].(https://github.com/aquasecurity/trivy-action/blob/1f6384b6ceecbbc6673526f865b818a2a06b07c9/entrypoint.sh#L196C4-L196C57) Is this something you are thinking to add ?