Trivy Action
| Project Name | Stars | Downloads | Repos Using This | Packages Using This | Most Recent Commit | Total Releases | Latest Release | Open Issues | License | Language |
|---|---|---|---|---|---|---|---|---|---|---|
| Trivy | 16,711 | 25 | 13 hours ago | 176 | September 16, 2022 | 383 | apache-2.0 | Go | ||
| Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more | ||||||||||
| Vuls | 9,862 | 2 days ago | 142 | September 02, 2022 | 80 | gpl-3.0 | Go | |||
| Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices | ||||||||||
| Wpscan | 7,407 | 5 days ago | 50 | other | Ruby | |||||
| WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected] | ||||||||||
| Scanners Box | 7,014 | a month ago | 2 | |||||||
| A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑 | ||||||||||
| Nuclei Templates | 5,974 | 12 hours ago | 171 | mit | ||||||
| Community curated list of templates for the nuclei engine to find security vulnerabilities. | ||||||||||
| Grype | 5,413 | 6 | 17 hours ago | 161 | September 20, 2022 | 205 | apache-2.0 | Go | ||
| A vulnerability scanner for container images and filesystems | ||||||||||
| Poc In Github | 4,796 | a day ago | 9 | |||||||
| 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware. | ||||||||||
| Awesome Web Hacking | 4,260 | 6 months ago | 1 | mit | ||||||
| A list of web application security | ||||||||||
| W3af | 4,142 | a month ago | 1,984 | Python | ||||||
| w3af: web application attack and audit framework, the open source web vulnerability scanner. | ||||||||||
| Kube Hunter | 4,030 |  | 2 | 4 months ago | 17 | May 12, 2022 | 68 | apache-2.0 | Python | |
| Hunt for security weaknesses in Kubernetes clusters | ||||||||||
Trivy Action
GitHub Action for Trivy
Table of Contents
Usage
Scan CI Pipeline
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
Scan CI Pipeline (w/ Trivy Config)
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
In this case trivy.yaml is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
format: json
exit-code: 1
severity: CRITICAL
It is possible to define all options in the trivy.yaml file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
-
scan-ref: If usingfs, reposcans. -
image-ref: If usingimagescan. -
scan-type: To define the scan type, e.g.image,fs,repo, etc.
Order of prerference for options
Trivy uses Viper which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
- Config file
- Default
Scanning a Tarball
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Generate tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/[email protected]
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
Using Trivy with GitHub Code Scanning
If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
if: always()
with:
sarif_file: 'trivy-results.sarif'
See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
Using Trivy to scan your Git repo
It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
Using Trivy to scan your rootfs directories
It's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/[email protected]
with:
scan-type: 'rootfs'
scan-ref: 'rootfs-example-binary'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
Using Trivy to scan Infrastructure as Code
It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
If you have GitHub code scanning available you can use Trivy as a scanning tool as follows:
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/[email protected]
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
Using Trivy to generate SBOM
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
The sending of SBOM to GitHub feature is only available if you currently have GitHub Dependency Snapshot available to you in your repo.
In order to send results to the GitHub Dependency Snapshot, you will need to create a GitHub PAT
---
name: Pull Request
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: '<github_pat_token>'
Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
Docker Hub registry
Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD.
You don't need to set ENV vars when downloading from a public repository.
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
AWS ECR (Elastic Container Registry)
Trivy uses AWS SDK. You don't need to install aws CLI tool.
You can use AWS CLI's ENV Vars.
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
AWS_ACCESS_KEY_ID: key_id
AWS_SECRET_ACCESS_KEY: access_key
AWS_DEFAULT_REGION: us-west-2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
GCR (Google Container Registry)
Trivy uses Google Cloud SDK. You don't need to install gcloud command.
If you want to use target project's repository, you can set it via GOOGLE_APPLICATION_CREDENTIAL.
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
Self-Hosted
BasicAuth server needs TRIVY_USERNAME and TRIVY_PASSWORD.
if you want to use 80 port, use NonSSL TRIVY_NON_SSL=true
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: Username
TRIVY_PASSWORD: Password
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
Customizing
inputs
Following inputs can be used as step.with keys:
| Name | Type | Default | Description |
|---|---|---|---|
scan-type |
String | image |
Scan type, e.g. image or fs
|
input |
String | Tar reference, e.g. alpine-latest.tar
|
|
image-ref |
String | Image reference, e.g. alpine:3.10.2
|
|
scan-ref |
String | /github/workspace/ |
Scan reference, e.g. /github/workspace/ or .
|
format |
String | table |
Output format (table, json, sarif, github) |
template |
String | Output template (@/contrib/gitlab.tpl, @/contrib/junit.tpl) |
|
output |
String | Save results to a file | |
exit-code |
String | 0 |
Exit code when specified vulnerabilities are found |
ignore-unfixed |
Boolean | false | Ignore unpatched/unfixed vulnerabilities |
vuln-type |
String | os,library |
Vulnerability types (os,library) |
severity |
String | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
Severities of vulnerabilities to scanned for and displayed |
skip-dirs |
String | Comma separated list of directories where traversal is skipped | |
skip-files |
String | Comma separated list of files where traversal is skipped | |
cache-dir |
String | Cache directory | |
timeout |
String | 5m0s |
Scan timeout duration |
ignore-policy |
String | Filter vulnerabilities with OPA rego language | |
hide-progress |
String | true |
Suppress progress bar |
list-all-pkgs |
String | Output all packages regardless of vulnerability | |
scanners |
String | vuln,secret |
comma-separated list of what security issues to detect (vuln,secret,config) |
trivyignores |
String | comma-separated list of relative paths in repository to one or more .trivyignore files |
|
trivy-config |
String | Path to trivy.yaml config | |
github-pat |
String | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots | |
limit-severities-for-sarif |
Boolean | false | By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true |
