Gitrivy
This is a GitHub Actions to scan vulnerability using Trivy.
If vulnerabilities are found by Trivy, it creates the following GitHub Issue.
Usage
Inputs
| Parameter | Required | Default Value | Description |
|---|---|---|---|
| trivy_version | False | latest | Trivy version |
| image | True | N/A | The target image name to scan the vulnerability Specify this parameter or IMAGE_NAME environment variable |
| severity | False | HIGH,CRITICAL | Severities of vulnerabilities (separated by commma) |
| vuln_type | False | os,library | Scan target are os and / or library (separated by commma) |
| timeout | False | 5m0s | timeout. In case your scan may time out, try increasing the value of the timeout option such as 15m. |
| ignore_unfixed | False | false | Ignore unfixed vulnerabilities Please specify true or false |
| issue | False | true | Decide whether creating issue when vulnerabilities are found by trivy. Please specify true or false |
| token | True if issue parameter is true else False | N/A | GitHub Access Token. ${{ secrets.GITHUB_TOKEN }} is recommended. |
| issue_title | False | Security Alert | Issue title |
| issue_label | False | trivy,vulnerability | Issue label (separated by commma) |
| issue_assignee | False | N/A | Issue assignee (separated by commma) |
| fail_on_vulnerabilities | False | false | Whether the action should fail if any vulnerabilities were found. |
Outputs
| Parameter | Description |
|---|---|
| html_url | The URL to view the issue |
| issue_number | The created issue number |
Example Workflow
Detect your docker image vulnerability everyday at 9:00 (UTC).
name: Vulnerability Scan
on:
schedule:
- cron: '0 9 * * *'
jobs:
scan:
name: Daily Vulnerability Scan
runs-on: ubuntu-18.04
steps:
- name: Pull docker image
run: docker pull sample
- uses: yokawasa/gitrivy@v3.0.5
with:
trivy_version: 0.20.2
token: ${{ secrets.GITHUB_TOKEN }}
image: python:3.4-alpine
ignore_unfixed: true
issue: true