Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: set envs only when passed #405

Merged
merged 3 commits into from
Oct 11, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -669,7 +669,7 @@ Following inputs can be used as `step.with` keys:
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory |
| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
Expand Down
60 changes: 40 additions & 20 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,45 @@ runs:
env:
GITHUB_ACTION_PATH: ${{ github.action_path }}

- name: Set Trivy environment variables
shell: bash
run: |
# Note: There is currently no way to distinguish between undefined variables and empty strings in GitHub Actions.
# This limitation affects how we handle default values and empty inputs.
# For more information, see: https://github.com/actions/runner/issues/924

# Function to set environment variable only if the input is provided and different from default
set_env_var_if_provided() {
local var_name="$1"
local input_value="$2"
local default_value="$3"

if [ ! -z "$input_value" ] && [ "$input_value" != "$default_value" ]; then
echo "$var_name=$input_value" >> $GITHUB_ENV
fi
}

# Set environment variables, handling those with default values
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
set_env_var_if_provided "TRIVY_INPUT" "${{ inputs.input }}" ""
set_env_var_if_provided "TRIVY_EXIT_CODE" "${{ inputs.exit-code }}" ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it isn't set, is the default equivalent to a zero for this case?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm aware that would be the default Trivy behavior (if exit code is not specified), I am just not sure how GitHub Actions interprets an empty string in this case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it isn't set, is the default equivalent to a zero for this case?

The action will not set TRIVY_EXIT_CODE and Trivy CLI just uses the default value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am just not sure how GitHub Actions interprets an empty string in this case.

If the input is empty or the same as a default value, it doesn't set an environment variable.

set_env_var_if_provided "TRIVY_IGNORE_UNFIXED" "${{ inputs.ignore-unfixed }}" "false"
set_env_var_if_provided "TRIVY_PKG_TYPES" "${{ inputs.vuln-type }}" "os,library"
set_env_var_if_provided "TRIVY_SEVERITY" "${{ inputs.severity }}" "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was looking for it, but I couldn't. I'll try it. Thanks.

Copy link
Contributor Author

@knqyf263 knqyf263 Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, this is just a document about syntax of action.yaml. I don't think it's available, but I'll give it a shot.

Copy link
Contributor Author

@knqyf263 knqyf263 Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't work. An empty string is filled.
1a12292

CleanShot 2024-10-09 at 13 59 27

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Thanks that you checked that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a bummer.... 🫤

set_env_var_if_provided "TRIVY_FORMAT" "${{ inputs.format }}" "table"
set_env_var_if_provided "TRIVY_TEMPLATE" "${{ inputs.template }}" ""
set_env_var_if_provided "TRIVY_OUTPUT" "${{ inputs.output }}" ""
set_env_var_if_provided "TRIVY_SKIP_DIRS" "${{ inputs.skip-dirs }}" ""
set_env_var_if_provided "TRIVY_SKIP_FILES" "${{ inputs.skip-files }}" ""
set_env_var_if_provided "TRIVY_TIMEOUT" "${{ inputs.timeout }}" ""
set_env_var_if_provided "TRIVY_IGNORE_POLICY" "${{ inputs.ignore-policy }}" ""
set_env_var_if_provided "TRIVY_QUIET" "${{ inputs.hide-progress }}" ""
set_env_var_if_provided "TRIVY_LIST_ALL_PKGS" "${{ inputs.list-all-pkgs }}" "false"
set_env_var_if_provided "TRIVY_SCANNERS" "${{ inputs.scanners }}" ""
set_env_var_if_provided "TRIVY_CONFIG" "${{ inputs.trivy-config }}" ""
set_env_var_if_provided "TRIVY_TF_VARS" "${{ inputs.tf-vars }}" ""
set_env_var_if_provided "TRIVY_DOCKER_HOST" "${{ inputs.docker-host }}" ""

- name: Run Trivy
shell: bash
run: entrypoint.sh
Expand All @@ -145,23 +184,4 @@ runs:
INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}

# For Trivy
# cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
TRIVY_INPUT: ${{ inputs.input }}
TRIVY_EXIT_CODE: ${{ inputs.exit-code }}
TRIVY_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
TRIVY_PKG_TYPES: ${{ inputs.vuln-type }}
TRIVY_SEVERITY: ${{ inputs.severity }}
TRIVY_FORMAT: ${{ inputs.format }}
TRIVY_TEMPLATE: ${{ inputs.template }}
TRIVY_OUTPUT: ${{ inputs.output }}
TRIVY_SKIP_DIRS: ${{ inputs.skip-dirs }}
TRIVY_SKIP_FILES: ${{ inputs.skip-files }}
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }}
TRIVY_TIMEOUT: ${{ inputs.timeout }}
TRIVY_IGNORE_POLICY: ${{ inputs.ignore-policy }}
TRIVY_QUIET: ${{ inputs.hide-progress }}
TRIVY_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
TRIVY_SCANNERS: ${{ inputs.scanners }}
TRIVY_CONFIG: ${{ inputs.trivy-config }}
TRIVY_TF_VARS: ${{ inputs.tf-vars }}
TRIVY_DOCKER_HOST: ${{ inputs.docker-host }}
TRIVY_CACHE_DIR: ${{ inputs.cache-dir }} # Always set
Loading