action.yaml

name: Trivy
description: "Run a Trivy Scan and upload the results"
inputs:
  image-ref:
    description: "image to scan"
    required: true
  timeout:
    description: "how long to scan"
    default: 15m
  vuln-type:
    description: "types of vulnerabilities to report"
    default: "os,library"
  severity:
    description: "severity of issues to report"
    default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  format:
    description: "format of scan report"
    default: "sarif"
  output-file:
    description: "file to export scan results" 
    default: "trivy-results.sarif"

runs:
  using: "composite"
  steps:
    - name: Check if GHAS is enabled
      uses: actions/github-script@v7
      id: ghas-enabled
      with:
        script: |
          const response = await github.rest.repos.get({
            owner: '${{ github.repository }}'.split("/")[0],
            repo: '${{ github.repository }}'.split("/")[1]
          });
          const private = response.data.private
          
          if (private) {
            const securityEnabled = response.data.security_and_analysis?.advanced_security?.status === 'enabled';
 
            if (!securityEnabled) {
              const message = 'GitHub Advanced Security is NOT enabled and repo is private. Can not upload report';
              core.setFailed(message);
            }
          }
    - name: Run Trivy vulnerability scanner
      id: scan
      uses: aquasecurity/trivy-action@master
      with:         
        image-ref: "${{ inputs.image-ref }}"
        timeout: "${{ inputs.timeout }}"
        vuln-type: "${{ inputs.vuln-type }}"
        severity: "${{ inputs.severity }}"
        format: "${{ inputs.format }}"
        output: "${{ inputs.output-file }}"
    
    - name: Upload Trivy scan results to GitHub Security tab
      id: upload
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: "${{ inputs.output-file }}"