{"id":13539688,"url":"https://github.com/aquasecurity/trivy-action","last_synced_at":"2026-04-01T19:31:02.873Z","repository":{"id":37053527,"uuid":"268833180","full_name":"aquasecurity/trivy-action","owner":"aquasecurity","description":"Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities","archived":false,"fork":false,"pushed_at":"2026-03-20T07:11:31.000Z","size":849,"stargazers_count":1269,"open_issues_count":177,"forks_count":324,"subscribers_count":13,"default_branch":"master","last_synced_at":"2026-03-27T20:24:16.201Z","etag":null,"topics":["devsecops","github-actions","scanner","scanning","security","tools","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-06-02T15:06:38.000Z","updated_at":"2026-03-27T09:44:49.000Z","dependencies_parsed_at":"2023-01-04T12:47:14.330Z","dependency_job_id":"b8c1623d-3d01-49ab-aa14-cd89535d2b06","html_url":"https://github.com/aquasecurity/trivy-action","commit_stats":{"total_commits":160,"total_committers":67,"mean_commits":2.388059701492537,"dds":0.725,"last_synced_commit":"18f2510ee396bbf400402947b394f2dd8c87dbb0"},"previous_names":[],"tags_count":150,"template":false,"template_full_name":null,"purl":"pkg:github/aquasecurity/trivy-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftrivy-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftrivy-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftrivy-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftrivy-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/trivy-action/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftrivy-action/sbom","scorecard":{"id":204690,"data":{"date":"2025-08-11","repo":{"name":"github.com/aquasecurity/trivy-action","commit":"77137e9dc3ab1b329b7c8a38c2eb7475850a14e8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.4,"checks":[{"name":"Maintained","score":7,"reason":"6 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":9,"reason":"Found 28/30 approved changesets -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bump-trivy.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/bump-trivy.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/bump-trivy.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/bump-trivy.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-trivy-checks.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/sync-trivy-checks.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-trivy-checks.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/sync-trivy-checks.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-trivy-db.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/sync-trivy-db.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-trivy-db.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/sync-trivy-db.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-trivy-java-db.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/sync-trivy-java-db.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-trivy-java-db.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/sync-trivy-java-db.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/test.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/trivy-action/test.yaml/master?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/test.yaml:23","Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 5 third-party GitHubAction dependencies pinned","Info: 0 out of 1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/bump-trivy.yaml:1","Warn: no topLevel permission defined: .github/workflows/sync-trivy-checks.yaml:1","Warn: no topLevel permission defined: .github/workflows/sync-trivy-db.yaml:1","Warn: no topLevel permission defined: .github/workflows/sync-trivy-java-db.yaml:1","Warn: no topLevel permission defined: .github/workflows/test.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T23:27:56.331Z","repository_id":37053527,"created_at":"2025-08-16T23:27:56.331Z","updated_at":"2025-08-16T23:27:56.331Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31111464,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-28T15:10:22.084Z","status":"ssl_error","status_checked_at":"2026-03-28T15:09:59.994Z","response_time":79,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","github-actions","scanner","scanning","security","tools","vulnerability"],"created_at":"2024-08-01T09:01:30.392Z","updated_at":"2026-04-01T19:31:02.856Z","avatar_url":"https://github.com/aquasecurity.png","language":"Shell","funding_links":[],"categories":["Shell","security","Security \u0026 Compliance","📖 Category Details","五、按场景分类的实用Action"],"sub_categories":["**4. Cybersecurity (DevSecOps)**","7. 安全与合规"],"readme":"# Trivy Action\n\n\u003e [GitHub Action](https://github.com/features/actions) for [Trivy](https://github.com/aquasecurity/trivy)\n\n[![GitHub Release][release-img]][release]\n[![GitHub Marketplace][marketplace-img]][marketplace]\n[![License][license-img]][license]\n\n![](docs/images/trivy-action.png)\n\n## Table of Contents\n\n* [Usage](#usage)\n * [Scan CI Pipeline](#scan-ci-pipeline)\n * [Scan CI Pipeline (w/ Trivy Config)](#scan-ci-pipeline-w-trivy-config)\n * [Cache](#cache)\n * [Trivy Setup](#trivy-setup)\n * [Scanning a Tarball](#scanning-a-tarball)\n * [Using Trivy with templates](#using-trivy-with-templates)\n * [Using Trivy with GitHub Code Scanning](#using-trivy-with-github-code-scanning)\n * [Using Trivy to scan your Git repo](#using-trivy-to-scan-your-git-repo)\n * [Using Trivy to scan your rootfs directories](#using-trivy-to-scan-your-rootfs-directories)\n * [Using Trivy to scan Infrastructure as Code](#using-trivy-to-scan-infrastructure-as-code)\n * [Using Trivy to generate SBOM](#using-trivy-to-generate-sbom)\n * [Using Trivy to scan your private registry](#using-trivy-to-scan-your-private-registry)\n * [Using Trivy if you don't have code scanning enabled](#using-trivy-if-you-dont-have-code-scanning-enabled)\n* [Customizing](#customizing)\n * [inputs](#inputs)\n * [Environment variables](#environment-variables)\n * [Trivy config file](#trivy-config-file)\n\n## Usage\n\n### Scan CI Pipeline\n\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n - name: Build an image from Dockerfile\n run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'table'\n exit-code: '1'\n ignore-unfixed: true\n vuln-type: 'os,library'\n severity: 'CRITICAL,HIGH'\n```\n\n### Scan CI Pipeline (w/ Trivy Config)\n\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner in fs mode\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'fs'\n scan-ref: '.'\n trivy-config: trivy.yaml\n```\n\nIn this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:\n```yaml\nformat: json\nexit-code: 1\nseverity: CRITICAL\nsecret:\n config: config/trivy/secret.yaml\n```\n\nIt is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:\n- `scan-ref`: If using `fs, repo` scans.\n- `image-ref`: If using `image` scan.\n- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.\n\n#### Order of preference for options\nTrivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:\n- GitHub Action flag\n- Environment variable\n- Config file\n- Default\n\n### Cache\nThe action has a built-in functionality for caching and restoring [the vulnerability DB](https://github.com/aquasecurity/trivy-db), [the Java DB](https://github.com/aquasecurity/trivy-java-db) and [the checks bundle](https://github.com/aquasecurity/trivy-checks) if they are downloaded during the scan.\nThe cache is stored in the `$GITHUB_WORKSPACE/.cache/trivy` directory by default.\nThe cache is restored before the scan starts and saved after the scan finishes.\n\nIt uses [actions/cache](https://github.com/actions/cache) under the hood but requires less configuration settings.\nThe cache input is optional, and caching is turned on by default.\n\n#### Disabling caching\nIf you want to disable caching, set the `cache` input to `false`, but we recommend keeping it enabled to avoid rate limiting issues.\n\n```yaml\n - name: Run Trivy scanner without cache\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'fs'\n scan-ref: '.'\n cache: 'false'\n```\n\n#### Updating caches in the default branch\nPlease note that there are [restrictions on cache access](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) between branches in GitHub Actions.\nBy default, a workflow can access and restore a cache created in either the current branch or the default branch (usually `main` or `master`).\nIf you need to share caches across branches, you may need to create a cache in the default branch and restore it in the current branch.\n\nTo optimize your workflow, you can set up a cron job to regularly update the cache in the default branch.\nThis allows subsequent scans to use the cached DB without downloading it again.\n\n```yaml\n# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.\n# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.\nname: Update Trivy Cache\n\non:\n schedule:\n - cron: '0 0 * * *' # Run daily at midnight UTC\n workflow_dispatch: # Allow manual triggering\n\njobs:\n update-trivy-db:\n runs-on: ubuntu-latest\n steps:\n - name: Setup oras\n uses: oras-project/setup-oras@v1\n\n - name: Get current date\n id: date\n run: echo \"date=$(date +'%Y-%m-%d')\" \u003e\u003e $GITHUB_OUTPUT\n\n - name: Download and extract the vulnerability DB\n run: |\n mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db\n oras pull ghcr.io/aquasecurity/trivy-db:2\n tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db\n rm db.tar.gz\n\n - name: Download and extract the Java DB\n run: |\n mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db\n oras pull ghcr.io/aquasecurity/trivy-java-db:1\n tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db\n rm javadb.tar.gz\n\n - name: Cache DBs\n uses: actions/cache/save@v4\n with:\n path: ${{ github.workspace }}/.cache/trivy\n key: cache-trivy-${{ steps.date.outputs.date }}\n```\n\nWhen running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `TRIVY_SKIP_JAVA_DB_UPDATE` to skip the download process.\n\n```yaml\n - name: Run Trivy scanner without downloading DBs\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'image'\n scan-ref: 'myimage'\n env:\n TRIVY_SKIP_DB_UPDATE: true\n TRIVY_SKIP_JAVA_DB_UPDATE: true\n```\n\n### Trivy Setup\nBy default the action calls [`aquasecurity/setup-trivy`](https://github.com/aquasecurity/setup-trivy) as the first step\nwhich installs the `trivy` version specified by the `version` input. If you have already installed `trivy` by other\nmeans, e.g. calling `aquasecurity/setup-trivy` directly, or are invoking this action multiple times then you can use the\n`skip-setup-trivy` input to disable this step.\n\n#### Setting up Trivy Manually\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Manual Trivy Setup\n uses: aquasecurity/setup-trivy@v0.2.0\n with:\n cache: true\n version: v0.69.3\n\n - name: Run Trivy vulnerability scanner in repo mode\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'fs'\n ignore-unfixed: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n severity: 'CRITICAL'\n skip-setup-trivy: true\n```\n\n#### Skipping Setup when Calling Trivy Action multiple times\nAnother common use case is when a build calls this action multiple times, in this case we can set `skip-setup-trivy` to \n`true` on subsequent invocations e.g.\n\n```yaml\nname: build\n\non:\n push:\n branches:\n - main\n pull_request:\n\njobs:\n test:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n steps:\n - name: Check out Git repository\n uses: actions/checkout@v4\n\n # The first call to the action will invoke setup-trivy and install trivy\n - name: Generate Trivy Vulnerability Report\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: \"fs\"\n output: trivy-report.json\n format: json\n scan-ref: .\n exit-code: 0\n\n - name: Upload Vulnerability Scan Results\n uses: actions/upload-artifact@v4\n with:\n name: trivy-report\n path: trivy-report.json\n retention-days: 30\n\n - name: Fail build on High/Criticial Vulnerabilities\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: \"fs\"\n format: table\n scan-ref: .\n severity: HIGH,CRITICAL\n ignore-unfixed: true\n exit-code: 1\n # On a subsequent call to the action we know trivy is already installed so can skip this\n skip-setup-trivy: true\n```\n\n#### Use non-default token to install Trivy\nGitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server.\nTherefore, you can't install `Trivy` using the `setup-trivy` action.\n\nTo fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:\n```yaml\n - name: Run Trivy scanner without cache\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'fs'\n scan-ref: '.'\n token-setup-trivy: ${{ secrets.GITHUB_PAT }}\n```\n\nGitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases.\n\n### Scanning a Tarball\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Generate tarball from image\n run: |\n docker pull \u003cyour-docker-image\u003e\n docker save -o vuln-image.tar \u003cyour-docker-image\u003e\n\n - name: Run Trivy vulnerability scanner in tarball mode\n uses: aquasecurity/trivy-action@0.33.1\n with:\n input: /github/workspace/vuln-image.tar\n severity: 'CRITICAL,HIGH'\n```\n\n### Using Trivy with templates\nThe action supports [Trivy templates][trivy-templates]. \n\nUse `template` input to specify path (remember to prefix the path with `@`) to template file.\n\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: \"fs\"\n scan-ref: .\n format: 'template'\n template: \"@path/to/my_template.tpl\"\n```\n\n#### Default templates\nTrivy has [default templates][trivy-default-templates].\n\nBy default, `setup-trivy` installs them into the `$HOME/.local/bin/trivy-bin/contrib` directory.\n\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: \"fs\"\n scan-ref: .\n format: 'template'\n template: \"@$HOME/.local/bin/trivy-bin/contrib/html.tpl\"\n```\n\n### Using Trivy with GitHub Code Scanning\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Build an image from Dockerfile\n run: |\n docker build -t docker.io/my-organization/my-app:${{ github.sha }} .\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\nYou can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml\n\nIf you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Build an image from Dockerfile\n run: |\n docker build -t docker.io/my-organization/my-app:${{ github.sha }} .\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n if: always()\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\nSee this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always\n\n### Using Trivy to scan your Git repo\nIt's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.\n\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner in repo mode\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'fs'\n ignore-unfixed: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n severity: 'CRITICAL'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n### Using Trivy to scan your rootfs directories\nIt's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerabilities that might get introduced with each PR.\n\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner with rootfs command\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'rootfs'\n scan-ref: 'rootfs-example-binary'\n ignore-unfixed: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n severity: 'CRITICAL'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n### Using Trivy to scan Infrastructure as Code\nIt's also possible to scan your IaC repos with Trivy's built-in repo scan. \nThis can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. \nThis helps you identify potential vulnerabilities that might get introduced with each PR.\n\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner in IaC mode\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'config'\n hide-progress: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n exit-code: '1'\n severity: 'CRITICAL,HIGH'\n\n - name: Upload Trivy scan results to GitHub Security tab\n if: always()\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n**Note**: If your Terraform configuration contains private modules, configure Git to authenticate with the repository hosting them. \nThis can be done by adding a step in your CI workflow that sets up access, for example using a Personal Access Token (PAT) or SSH keys:\n\n```yaml\n- name: Configure Git for private modules\n run: |\n git config --global url.\"https://$GITHUB_USER:$PRIVATE_REPO_TOKEN@github.com/\".insteadOf \"https://github.com/\"\n env:\n GITHUB_USER: ${{ github.actor }}\n PRIVATE_REPO_TOKEN: ${{ secrets.PRIVATE_REPO_TOKEN }}\n```\nThis ensures Trivy can download private modules.\n\n\n### Using Trivy to generate SBOM\nIt's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).\n\nThe [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository).\n\nIn order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):\n\n```yaml\n---\nname: Generate SBOM\non:\n push:\n branches:\n - main\n\n## GITHUB_TOKEN authentication, add only if you're not going to use a PAT\npermissions:\n contents: write\n\njobs:\n generate-sbom:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: 'fs'\n format: 'github'\n output: 'dependency-results.sbom.json'\n scan-ref: '.'\n github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT\n```\n\nWhen scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.\n\nYou can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):\n\n```yaml\n---\nname: Generate SBOM\non:\n push:\n branches:\n - main\n\n## GITHUB_TOKEN authentication, add only if you're not going to use a PAT\npermissions:\n contents: write\n\njobs:\n generate-sbom:\n runs-on: ubuntu-latest\n steps:\n - name: Scan image in a private registry\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: \"private_image_registry/image_name:image_tag\"\n scan-type: image\n format: 'github'\n output: 'dependency-results.sbom.json'\n github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT\n severity: \"MEDIUM,HIGH,CRITICAL\"\n scanners: \"vuln\"\n env:\n TRIVY_USERNAME: \"image_registry_admin_username\"\n TRIVY_PASSWORD: \"image_registry_admin_password\"\n\n - name: Upload trivy report as a Github artifact\n uses: actions/upload-artifact@v4\n with:\n name: trivy-sbom-report\n path: '${{ github.workspace }}/dependency-results.sbom.json'\n retention-days: 20 # 90 is the default\n```\n\n### Using Trivy to scan your private registry\nIt's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.\n\n#### Docker Hub registry\nDocker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.\nYou don't need to set ENV vars when downloading from a public repository.\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF results to the GitHub Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n TRIVY_USERNAME: Username\n TRIVY_PASSWORD: Password\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n#### AWS ECR (Elastic Container Registry)\nTrivy uses AWS SDK. You don't need to install `aws` CLI tool.\nYou can use [AWS CLI's ENV Vars][env-var].\n\n[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n AWS_ACCESS_KEY_ID: key_id\n AWS_SECRET_ACCESS_KEY: access_key\n AWS_DEFAULT_REGION: us-west-2\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n#### GCR (Google Container Registry)\nTrivy uses Google Cloud SDK. You don't need to install `gcloud` command.\n\nIf you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n#### Self-Hosted\nBasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.\nif you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`\n```yaml\nname: build\non:\n push:\n branches:\n - main\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-24.04\n permissions:\n contents: read # Required to checkout and read repo files\n security-events: write # Required to upload SARIF files to Security tab\n steps:\n - name: Checkout code\n uses: actions/checkout@v4\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n TRIVY_USERNAME: Username\n TRIVY_PASSWORD: Password\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v4\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n### Using Trivy if you don't have code scanning enabled\n\nIt's also possible to browse a scan result in a workflow summary.\n\nThis step is especially useful for private repositories without [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) license.\n\n```yaml\n- name: Run Trivy scanner\n uses: aquasecurity/trivy-action@0.33.1\n with:\n scan-type: config\n hide-progress: true\n output: trivy.txt\n\n- name: Publish Trivy Output to Summary\n run: |\n if [[ -s trivy.txt ]]; then\n {\n echo \"### Security Output\"\n echo \"\u003cdetails\u003e\u003csummary\u003eClick to expand\u003c/summary\u003e\"\n echo \"\"\n echo '```terraform'\n cat trivy.txt\n echo '```'\n echo \"\u003c/details\u003e\"\n } \u003e\u003e $GITHUB_STEP_SUMMARY\n fi\n```\n\n## Customizing\n\nConfiguration priority:\n- [Inputs](#inputs)\n- [Environment variables](#environment-variables)\n- [Trivy config file](#trivy-config-file)\n- Default values\n\n\n### inputs\n\nFollowing inputs can be used as `step.with` keys:\n\n| Name | Type | Default | Description |\n|------------------------------|---------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |\n| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |\n| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |\n| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |\n| `format` | String | `table` | Output format (`table`, `json`, `template`, `sarif`, `cyclonedx`, `spdx`, `spdx-json`, `github`, `cosign-vuln`) |\n| `template` | String | | Output template (`@$HOME/.local/bin/trivy-bin/contrib/gitlab.tpl`, `@$HOME/.local/bin/trivy-bin/contrib/junit.tpl`) |\n| `tf-vars` | String | | path to Terraform variables file |\n| `output` | String | | Save results to a file |\n| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |\n| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |\n| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |\n| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |\n| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |\n| `skip-files` | String | | Comma separated list of files where traversal is skipped |\n| `cache-dir` | String | `$GITHUB_WORKSPACE/.cache/trivy` | Cache directory. NOTE: This value cannot be configured by `trivy.yaml`. |\n| `timeout` | String | `5m0s` | Scan timeout duration |\n| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |\n| `hide-progress` | String | `false` | Suppress progress bar and log output |\n| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |\n| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`misconfig`,`license`) |\n| `trivyignores` | String | | comma-separated list of relative paths within the repository to one or more `.trivyignore` files, or a single `.trivyignore.yaml` file. |\n| `trivy-config` | String | | Path to trivy.yaml config |\n| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |\n| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |\n| `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |\n| `version` | String | `v0.69.3` | Trivy version to use, e.g. `latest` or `v0.69.3` |\n| `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` |\n| `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository |\n\n### Environment variables\nYou can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).\n\n**NB** In some older versions of the Action there was a bug that caused inputs from one call to the Action to leak \nover to subsequent calls to the Action. This could cause workflows that call the Action multiple times e.g. to run \nmultiple scans, or the same scans with different output formats, to not produce the desired output. You can see if this\nis the case by looking at the GitHub Actions step information, if the `env` section shown in your Actions output \ncontains `TRIVY_*` environment variables you did not explicitly set then you may be affected by this bug and should \nupgrade to the latest Action version.\n\n### Trivy config file\nWhen using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).\n\n[release]: https://github.com/aquasecurity/trivy-action/releases/latest\n[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github\n[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy\n[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github\n[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE\n[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action\n[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables\n[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/\n[trivy-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#template\n[trivy-default-templates]: https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#default-templates\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Ftrivy-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Ftrivy-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Ftrivy-action/lists"}