1+ # Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
2+ #
3+ # SPDX-License-Identifier: Apache-2.0
4+ #
5+ # schema documentation: https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions
6+ # yaml-language-server: $schema=https://json.schemastore.org/github-action.json
7+
18name : Trivy
29description : Scan this project using Trivy
310
411# The Trivy team maintains an action, but it has trouble caching its vulnerability data:
512# https://github.com/aquasecurity/trivy-action/issues/389
613#
14+ # 1. It caches vulnerability data once per calendar day, despite Trivy wanting
15+ # to download more frequently than that.
16+ # 2. When it fails to download the data, it fails the workflow *and* caches
17+ # the incomplete data.
18+ # 3. When (1) and (2) coincide, every following run that day *must* update the data,
19+ # producing more opportunities for (2) and more failed workflows.
20+ #
721# The action below uses any recent cache matching `cache-prefix` and calculates a cache key
8- # derived from the data Trivy downloads.
22+ # derived from the data Trivy downloads. An older database is better than no scans at all.
23+ # When a run successfully updates the data, that data is cached and available to other runs.
924
1025inputs :
1126 cache :
1227 default : restore,success,use
1328 description : >-
1429 What Trivy data to cache; one or more of restore, save, success, or use.
30+ The value "use" instructs Trivy to read and write to its cache.
31+ The value "restore" loads the Trivy cache from GitHub.
32+ The value "success" saves the Trivy cache to GitHub when Trivy succeeds.
33+ The value "save" saves the Trivy cache to GitHub regardless of Trivy.
1534
1635database :
1736 default : update
1837 description : >-
1938 How Trivy should handle its data; one of update or skip.
39+ The value "skip" fetches no Trivy data at all.
2040
2141setup :
22- default : v0.57 .1,cache
42+ default : v0.62 .1,cache
2343 description : >-
2444 How to install Trivy; one or more of version, none, or cache.
45+ The value "none" does not install Trivy at all.
2546
2647cache-directory :
2748 default : ${{ github.workspace }}/.cache/trivy
49+ description : >-
50+ Directory where Trivy should store its data
2851
2952cache-prefix :
3053 default : cache-trivy
54+ description : >-
55+ Name (key) where Trivy data should be stored in the GitHub cache
3156
3257scan-target :
3358 default : .
59+ description : >-
60+ What Trivy should scan
3461
3562scan-type :
36- default : filesystem
63+ default : repository
64+ description : >-
65+ How Trivy should interpret scan-target; one of filesystem, image, repository, or sbom.
3766
3867runs :
3968 using : composite
5079 "setup=\(split("[,\\s]+"; "") - [""])",
5180 "version=\(split("[,\\s]+"; "") | max_by(split("[v.]"; "") | map(tonumber?)))"
5281 '
53- ) | tee --append $ GITHUB_OUTPUT
82+ ) | tee --append "${ GITHUB_OUTPUT}"
5483
5584# Install Trivy as requested.
85+ # NOTE: `setup-trivy` can download a "latest" version but cannot cache it.
5686 - if : ${{ ! contains(fromJSON(steps.parsed.outputs.setup), 'none') }}
5787 uses : aquasecurity/setup-trivy@v0.2.3
5888 with :
@@ -75,12 +105,13 @@ runs:
75105TRIVY_SKIP_CHECK_UPDATE : ${{ inputs.database == 'skip' }}
76106 TRIVY_SKIP_DB_UPDATE : ${{ inputs.database == 'skip' }}
77107 TRIVY_SKIP_JAVA_DB_UPDATE : ${{ inputs.database == 'skip' }}
108+ TRIVY_SKIP_VEX_REPO_UPDATE : ${{ inputs.database == 'skip' }}
78109 run : |
79110 # Run Trivy
80111 trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
81112
82113 checksum=$([[ -z "${TRIVY_CACHE_DIR}" ]] || cat "${TRIVY_CACHE_DIR}/"*/metadata.json | sha256sum)
83- echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> $ GITHUB_OUTPUT
114+ echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> "${ GITHUB_OUTPUT}"
84115
85116 exit "${result-0}"
86117
0 commit comments