feat: Allow skipping setup (#414)

If a user is invoking the action multiple times then the trivy binary gets installed multiple times. Users can avoid this by managing the installation themselves and setting the skip-setup input to true, or by letting the action install in on their first invocation and then setting skip-setup to true on subsequent invocations Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
aquasecurity · Oct 16, 2024 · fc1500a · fc1500a
1 parent 915b19b
commit fc1500a
Show file tree

Hide file tree

Showing 2 changed files with 98 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@
   * [Scan CI Pipeline](#scan-ci-pipeline)
   * [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)
   * [Cache](#cache)
+  * [Trivy Setup](#trivy-setup)
   * [Scanning a Tarball](#scanning-a-tarball)
   * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)
   * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)
@@ -184,6 +185,97 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T
         TRIVY_SKIP_JAVA_DB_UPDATE: true
 ```
 
+### Trivy Setup
+By default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step
+which installs the `trivy` version specified by the `version` input.  If you have already installed `trivy` by other
+means, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the
+`skip-setup-trivy` input to disable this step.
+
+#### Setting up Trivy Manually
+```yaml
+name: build
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Manual Trivy Setup
+      uses: aquasecurity/setup-trivy@v0.2.0
+      with:
+        cache: true
+        version: v0.56.1
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL'
+        skip-setup-trivy: true
+```
+
+#### Skipping Setup when Calling Trivy Action multiple times
+Another common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to 
+`true` on subsequent invocations e.g.
+
+```yaml
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+
+      # The first call to the action will invoke setup-trivy and install trivy
+      - name: Generate Trivy Vulnerability Report
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          output: trivy-report.json
+          format: json
+          scan-ref: .
+          exit-code: 0
+
+      - name: Upload Vulnerability Scan Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json
+          retention-days: 30
+
+      - name: Fail build on High/Criticial Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          format: table
+          scan-ref: .
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          exit-code: 1
+          # On a subsequent call to the action we know trivy is already installed so can skip this
+          skip-setup-trivy: true
+```
+
 ### Scanning a Tarball
 ```yaml
 name: build
@@ -681,6 +773,7 @@ Following inputs can be used as `step.with` keys:
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
 | `version`                    | String  | `v0.56.1`                          | Trivy version to use, e.g. `latest` or `v0.56.1`                                                                                                               |
+| `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                       |
 
 ### Environment variables
 You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).

diff --git a/action.yaml b/action.yaml
@@ -103,11 +103,16 @@ inputs:
     description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
     required: false
     default: 'true'
+  skip-setup-trivy:
+    description: 'skip calling the setup-trivy action to install trivy'
+    required: false
+    default: 'false'
 
 runs:
   using: 'composite'
   steps:
     - name: Install Trivy
+      if: ${{ inputs.skip-setup-trivy == 'false' }}
       uses: aquasecurity/setup-trivy@v0.2.1
       with:
         version: ${{ inputs.version }}