diff --git a/.github/workflows/trivy-image-scan-test.yml b/.github/workflows/trivy-image-scan-test.yml new file mode 100644 index 0000000..f447a8d --- /dev/null +++ b/.github/workflows/trivy-image-scan-test.yml @@ -0,0 +1,6 @@ +on: [push] +jobs: + test_build_docker: + uses: ./.github/workflows/trivy-image-scan.yml + with: + image: 'forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/build/test:latest' diff --git a/.github/workflows/trivy-image-scan.yml b/.github/workflows/trivy-image-scan.yml new file mode 100644 index 0000000..1dddf46 --- /dev/null +++ b/.github/workflows/trivy-image-scan.yml @@ -0,0 +1,23 @@ +name: Run Trivy Image Scanner + +on: + workflow_call: + inputs: + image: + description: 'The image to test' + required: true + type: string + +jobs: + build-go: + runs-on: docker + container: + image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/pipeline-container/trivy:0.56.2 + steps: + - name: Clone Repository + uses: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/checkout@main + - name: Run trivy image scan + run: | + set -e + TRIVY_INSECURE=true trivy image --scanners license,vuln,secret ${{ inputs.image }} + TRIVY_INSECURE=true trivy image --image-config-scanners secret,misconfig ${{ inputs.image }} diff --git a/README.md b/README.md index e69de29..666656d 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,21 @@ +# Run Trivy Image Scanner GitHub Action + +This GitHub Action scans Docker images for vulnerabilities, secrets, licenses, and misconfigurations using [Trivy](https://github.com/aquasecurity/trivy). + +## Inputs + +| Input Name | Description | Required | Type | +|------------|-----------------------|----------|--------| +| `image` | The Docker image to scan. | Yes | string | + +## Usage + +This action can be used in other workflows with `workflow_call`. Here’s an example: + +```yaml +jobs: + scan: + uses:DevFW-CICD/vulnerability-scan/.github/workflows/trivy-image-scan.yml@main + with: + image: 'my-registry.com/project/image:latest' +```