Skip to content

Trivy

trivy | scan 

uses: jambazid/gha-actions/.github/workflows/trivy.yaml@unknown

Scan container images, terraform configurations, and the repository for vulnerabilities.

The nature of the scan is determined by boolean inputs:

  • docker: Scan container images for vulnerabilities.
  • repository: Scan the repository for vulnerabilities.
  • terraform: Scan terraform configurations for vulnerabilities.
  • sbom: Scan the whole repository for vulnerabilities and generate an SBOM.

        flowchart TB
    subgraph job_docker["docker"]
        direction LR
        job_docker_step_0("git | checkout")
        job_docker_step_1("trivy | setup")
        job_docker_step_0 --> job_docker_step_1
        job_docker_step_2("trivy | scan")
        job_docker_step_1 --> job_docker_step_2
        job_docker_step_3("trivy | annotate")
        job_docker_step_2 --> job_docker_step_3
        job_docker_step_4("trivy | ingest")
        job_docker_step_3 --> job_docker_step_4
    end
    subgraph job_sbom["sbom"]
        direction LR
        job_sbom_step_0("git | checkout")
        job_sbom_step_1("trivy | setup")
        job_sbom_step_0 --> job_sbom_step_1
        job_sbom_step_2("trivy | scan")
        job_sbom_step_1 --> job_sbom_step_2
        job_sbom_step_3("trivy | artifact")
        job_sbom_step_2 --> job_sbom_step_3
    end
    subgraph job_terraform["terraform"]
        direction LR
        job_terraform_step_0("git | checkout")
        job_terraform_step_1("trivy | setup")
        job_terraform_step_0 --> job_terraform_step_1
        job_terraform_step_2("trivy | scan")
        job_terraform_step_1 --> job_terraform_step_2
        job_terraform_step_3("trivy | annotate")
        job_terraform_step_2 --> job_terraform_step_3
        job_terraform_step_4("trivy | ingest")
        job_terraform_step_3 --> job_terraform_step_4
    end
    subgraph job_repository["repository"]
        direction LR
        job_repository_step_0("git | checkout")
        job_repository_step_1("trivy | setup")
        job_repository_step_0 --> job_repository_step_1
        job_repository_step_2("trivy | scan")
        job_repository_step_1 --> job_repository_step_2
        job_repository_step_3("trivy | annotate")
        job_repository_step_2 --> job_repository_step_3
        job_repository_step_4("trivy | ingest")
        job_repository_step_3 --> job_repository_step_4
    end

Inputs: ¤

Name Description
docker ¤

Whether to scan container images for vulnerabilities.
image-ref ¤

The image reference to scan when docker is true.
repository ¤

Whether to scan the repository for vulnerabilities.
terraform ¤

Whether to scan terraform configurations for vulnerabilities.
sbom ¤

Whether to scan the whole repository for vulnerabilities and generate an SBOM.