Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add token for setup-trivy #421

Merged
merged 5 commits into from
Oct 25, 2024
Merged

feat: add token for setup-trivy #421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0afdd84
feat: add `token-setup-trivy` input.
DmitriyLewen Oct 22, 2024
6f34622
docs: add info about `token-setup-trivy`
DmitriyLewen Oct 22, 2024
b24edfa
fix: use correct commit
DmitriyLewen Oct 23, 2024
e9e31ed
refactor: use `default: ${{ github.token }}` for `token-setup-trivy`
DmitriyLewen Oct 24, 2024
9960a61
refactor: use `setup-trivy` v0.2.2
DmitriyLewen Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,22 @@ jobs:
skip-setup-trivy: true
```

#### Use non-default token to install Trivy
GitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server.
Therefore, you can't install `Trivy` using the `setup-trivy` action.

To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
```yaml
- name: Run Trivy scanner without cache
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
token-setup-trivy: ${{ secrets.GITHUB_PAT }}
```

GitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases.

### Scanning a Tarball
```yaml
name: build
Expand Down Expand Up @@ -754,7 +770,7 @@ Following inputs can be used as `step.with` keys:
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
Expand All @@ -769,14 +785,15 @@ Following inputs can be used as `step.with` keys:
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `false` | Suppress progress bar and log output |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values |
| `version` | String | `v0.56.1` | Trivy version to use, e.g. `latest` or `v0.56.1` |
| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |
| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |

### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
Expand Down
12 changes: 11 additions & 1 deletion action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,16 +107,26 @@ inputs:
description: 'skip calling the setup-trivy action to install trivy'
required: false
default: 'false'
token-setup-trivy:
description: >
`token-setup-trivy` is required when `github.token` in invalid for `https://github.com` server.
See https://github.com/aquasecurity/setup-trivy/?tab=readme-ov-file#install-trivy-with-non-default-token for more details.
`token-setup-trivy` is only used to fetch the Trivy repository in `setup-trivy`
required: false
## ${{ github.token }} is default value for actions/checkout
## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24
default: ${{ github.token }}

runs:
using: 'composite'
steps:
- name: Install Trivy
if: ${{ inputs.skip-setup-trivy == 'false' }}
uses: aquasecurity/setup-trivy@v0.2.1
uses: aquasecurity/setup-trivy@v0.2.2
with:
version: ${{ inputs.version }}
cache: ${{ inputs.cache }}
token: ${{ inputs.token-setup-trivy }}

- name: Get current date
id: date
Expand Down
Loading