trivy-config input is not respected anymore

[marcrohlfs]

We prefer having or Trivy configurations in trivy.yaml config files over passing the configurations via action inputs. It's more flexible (we can use configurations we couldn't when using the inputs) and the GitHub workflow code looks a bit cleaner. This worked fine until now, but after we updated to v0.26.0, the configurations in the trivy.yaml are not respected anymore. After #399 has been merged and released, the trivy-config input still exists, but it's not passed to the entrypoint.sh anymore, nor used in there.

Please re-implement passing the trivy-config to the Trivy command.

Remark: Looks like some more inputs got lost, but they could also be configured via trivy.yaml.

As an example, our Trivy actions look like this:

      - name: Run Trivy image scan
        uses: aquasecurity/trivy-action@0.26.0
        with:
          scan-type: image
          image-ref: my-image
          trivy-config: .github/workflows/config/trivy.yaml

And the trivy.yaml:

format: sarif
output: trivy-results.sarif

ignorefile: .github/workflows/config/trivyignores.txt

severity:
  - MEDIUM
  - HIGH
  - CRITICAL

scan:
  skip-files:
    - /prometheus/jmx_prometheus_javaagent.jar
    - /usr/bin/confd

pkg-types:
  - library

[nikpivkin]

Hi @marcrohlfs !

Have you tried updating the action to the latest 0.28 version? It works for me.

2024-10-16T13:09:20Z    INFO    Loaded  file_path=".github/workflows/config/trivy.yaml"