Test using Trivy action

3lvia · Apr 25, 2024 · 43e0a9c · 43e0a9c
1 parent 8a9feec
commit 43e0a9c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 21 deletions.
diff --git a/build/action.yml b/build/action.yml
@@ -133,7 +133,6 @@ runs:
       with:
         image-ref: ${{ env.IMAGE_LONG_NAME }}
         format: 'sarif'
-        template: '@/contrib/sarif.tpl'
         output: 'trivy.sarif'
         severity: ${{ inputs.severity }}
         trivyignores: '.trivyignore'

diff --git a/trivy-iac-scan/action.yml b/trivy-iac-scan/action.yml
@@ -24,13 +24,6 @@ inputs:
     description: "Path to the Trivy ignore file in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to the .trivyignore, or create a new file and specify the path here. See https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#by-finding-ids for more information."
     required: false
     default: '.trivyignore'
-  debug:
-    description: 'If true, the action will output debug information.'
-    required: false
-    default: 'false'
-  policy-bundle-repository:
-    description: 'OCI registry URL to retrieve policy bundle from. Maps to `--policy-bundle-repository` in Trivy CLI.'
-    required: false
 
 runs:
   using: 'composite'
@@ -104,19 +97,17 @@ runs:
       env:
         TRIVY_VERSION: '0.50.4'
 
-    - name: Run Trivy vulnerability scanner in IaC mode
-      shell: bash
-      run: |
-        # Run Trivy
-        trivy config '${{ inputs.path }}' \
-          --format sarif \
-          --output '${{ env.TRIVY_SARIF }}' \
-          --exit-code 0 \
-          --severity '${{ inputs.severity }}' \
-          --ignorefile '${{ inputs.trivyignore }}' \
-          ${{ inputs.policy-bundle-repository != '' && format('--policy-bundle-repository {0}', inputs.policy-bundle-repository) || '' }} \
-          ${{ inputs.debug == 'true' && '--debug' || '' }} \
-          ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }}
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'config'
+        format: 'sarif'
+        exit-code: '0'
+        output: ${{ env.TRIVY_SARIF }}
+        severity: ${{ inputs.severity }}
+        trivyignores: ${{ inputs.trivyignore }}
+        ignore-unfixed: 'true'
+        skip-dirs: ${{ inputs.skip-dirs }}
 
     - name: Upload Trivy report to GitHub Security tab
       if: ${{ inputs.upload-report == 'true' }}