{"id":15859633,"url":"https://github.com/simar7/trivy-action-aqua-plugin-test","last_synced_at":"2026-01-11T01:47:19.292Z","repository":{"id":145549769,"uuid":"518173683","full_name":"simar7/trivy-action-aqua-plugin-test","owner":"simar7","description":null,"archived":false,"fork":false,"pushed_at":"2022-07-26T18:34:30.000Z","size":624,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-07T13:15:44.489Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simar7.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-26T18:25:05.000Z","updated_at":"2022-07-26T18:36:40.000Z","dependencies_parsed_at":"2023-05-25T20:15:17.292Z","dependency_job_id":null,"html_url":"https://github.com/simar7/trivy-action-aqua-plugin-test","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simar7%2Ftrivy-action-aqua-plugin-test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simar7%2Ftrivy-action-aqua-plugin-test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simar7%2Ftrivy-action-aqua-plugin-test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simar7%2Ftrivy-action-aqua-plugin-test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simar7","download_url":"https://codeload.github.com/simar7/trivy-action-aqua-plugin-test/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246706097,"owners_count":20820784,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-05T21:22:28.865Z","updated_at":"2026-01-11T01:47:19.250Z","avatar_url":"https://github.com/simar7.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Trivy Action\n\n\u003e [GitHub Action](https://github.com/features/actions) for [Trivy](https://github.com/aquasecurity/trivy)\n\n[![GitHub Release][release-img]][release]\n[![GitHub Marketplace][marketplace-img]][marketplace]\n[![License][license-img]][license]\n\n![](docs/images/trivy-action.png)\n\n## Table of Contents\n\n- [Usage](#usage)\n - [Workflow](#workflow)\n - [Docker Image Scanning](#using-trivy-with-github-code-scanning)\n - [Git Repository Scanning](#using-trivy-to-scan-your-git-repo)\n- [Customizing](#customizing)\n - [Inputs](#inputs)\n\n## Usage\n\n### Scan CI Pipeline\n\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-20.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n - name: Build an image from Dockerfile\n run: |\n docker build -t docker.io/my-organization/my-app:${{ github.sha }} .\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'table'\n exit-code: '1'\n ignore-unfixed: true\n vuln-type: 'os,library'\n severity: 'CRITICAL,HIGH'\n```\n\n### Scan CI Pipeline (w/ Trivy Config)\n\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-20.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner in repo mode\n uses: aquasecurity/trivy-action@add-support-for-trivy-config\n with:\n scan-type: 'fs'\n ignore-unfixed: true\n trivy-config: ./trivy.yaml\n```\n\nIn this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:\n```yaml\nformat: json\nexit-code: 1\nseverity: CRITICAL\n```\n\nIt is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes.\n\n### Scanning a Tarball\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-20.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Generate tarball from image\n run: |\n docker pull \u003cyour-docker-image\u003e\n docker save -o vuln-image.tar \u003cyour-docker-image\u003e\n \n - name: Run Trivy vulnerability scanner in tarball mode\n uses: aquasecurity/trivy-action@master\n with:\n input: /github/workspace/vuln-image.tar\n severity: 'CRITICAL,HIGH'\n```\n\n### Using Trivy with GitHub Code Scanning\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Build an image from Dockerfile\n run: |\n docker build -t docker.io/my-organization/my-app:${{ github.sha }} .\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\nYou can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml\n\nIf you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Build an image from Dockerfile\n run: |\n docker build -t docker.io/my-organization/my-app:${{ github.sha }} .\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n if: always()\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\nSee this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always\n\n### Using Trivy to scan your Git repo\nIt's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.\n\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner in repo mode\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'fs'\n ignore-unfixed: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n severity: 'CRITICAL'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n### Using Trivy to scan your rootfs directories\nIt's also possible to scan your rootfs directories with Trivy's built-in rootfs scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.\n\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner with rootfs command\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'rootfs'\n scan-ref: 'rootfs-example-binary'\n ignore-unfixed: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n severity: 'CRITICAL'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n### Using Trivy to scan Infrastucture as Code\nIt's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.\n\nIf you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner in IaC mode\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'config'\n hide-progress: false\n format: 'table'\n exit-code: '1'\n ignore-unfixed: true\n severity: 'CRITICAL,HIGH'\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n### Using Trivy to generate SBOM\nIt's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.\n\nThe sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. \n\nIn order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)\n```yaml\n---\nname: Pull Request\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Checks\n runs-on: ubuntu-20.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v3\n\n - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'fs'\n format: 'github'\n output: 'dependency-results.sbom.json'\n image-ref: '.'\n github-pat: '\u003cgithub_pat_token\u003e'\n```\n\n### Using Trivy to scan your private registry\nIt's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.\n\n#### Docker Hub registry\nDocker Hub needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.\nYou don't need to set ENV vars when downloading from a public repository.\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n TRIVY_USERNAME: Username\n TRIVY_PASSWORD: Password\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n#### AWS ECR (Elastic Container Registry)\nTrivy uses AWS SDK. You don't need to install `aws` CLI tool.\nYou can use [AWS CLI's ENV Vars][env-var].\n\n[env-var]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n AWS_ACCESS_KEY_ID: key_id\n AWS_SECRET_ACCESS_KEY: access_key\n AWS_DEFAULT_REGION: us-west-2\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n#### GCR (Google Container Registry)\nTrivy uses Google Cloud SDK. You don't need to install `gcloud` command.\n\nIf you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n#### Self-Hosted\nBasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.\nif you want to use 80 port, use NonSSL `TRIVY_NON_SSL=true`\n```yaml\nname: build\non:\n push:\n branches:\n - master\n pull_request:\njobs:\n build:\n name: Build\n runs-on: ubuntu-18.04\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Run Trivy vulnerability scanner\n uses: aquasecurity/trivy-action@master\n with:\n image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'\n format: 'sarif'\n output: 'trivy-results.sarif'\n env:\n TRIVY_USERNAME: Username\n TRIVY_PASSWORD: Password\n\n - name: Upload Trivy scan results to GitHub Security tab\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: 'trivy-results.sarif'\n```\n\n## Customizing\n\n### inputs\n\nFollowing inputs can be used as `step.with` keys:\n\n| Name | Type | Default | Description |\n|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|\n| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |\n| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |\n| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |\n| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |\n| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |\n| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |\n| `output` | String | | Save results to a file |\n| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |\n| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |\n| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |\n| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |\n| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |\n| `skip-files` | String | | Comma separated list of files where traversal is skipped |\n| `cache-dir` | String | | Cache directory |\n| `timeout` | String | `5m0s` | Scan timeout duration |\n| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |\n| `hide-progress` | String | `true` | Suppress progress bar |\n| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |\n| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |\n| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |\n| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |\n\n[release]: https://github.com/aquasecurity/trivy-action/releases/latest\n[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github\n[marketplace]: https://github.com/marketplace/actions/aqua-security-trivy\n[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github\n[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE\n[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimar7%2Ftrivy-action-aqua-plugin-test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimar7%2Ftrivy-action-aqua-plugin-test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimar7%2Ftrivy-action-aqua-plugin-test/lists"}