feat: migrate to a composite action

Signed-off-by: knqyf263 <[email protected]>

README.md

@@ -580,7 +580,7 @@ Following inputs can be used as `step.with` keys:
 | `severity`                   | String  | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed                                                                                                     |
 | `skip-dirs`                  | String  |                                    | Comma separated list of directories where traversal is skipped                                                                                                 |
 | `skip-files`                 | String  |                                    | Comma separated list of files where traversal is skipped                                                                                                       |
-| `cache-dir`                  | String  |                                    | Cache directory                                                                                                                                                |
+| `cache-dir`                  | String  | `$GITHUB_WORKSPACE/.cache/trivy`   | Cache directory                                                                                                                                                |
 | `timeout`                    | String  | `5m0s`                             | Scan timeout duration                                                                                                                                          |
 | `ignore-policy`              | String  |                                    | Filter vulnerabilities with OPA rego language                                                                                                                  |
 | `hide-progress`              | String  | `false`                            | Suppress progress bar and log output                                                                                                                           |
@@ -591,6 +591,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN        |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
+| `version`                    | String  | `latest`                           | Trivy version to use                                                                                                                                           |
 
 ### Environment variables
 You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).

action.yaml

@@ -1,6 +1,7 @@
 name: 'Aqua Security Trivy'
 description: 'Scans container images for vulnerabilities with Trivy'
 author: 'Aqua Security'
+
 inputs:
   scan-type:
     description: 'Scan type to use for scanning vulnerability'
@@ -24,7 +25,7 @@ inputs:
     description: 'ignore unfixed vulnerabilities'
     required: false
     default: 'false'
-  vuln-type:
+  vuln-type: # TODO: rename to pkg-types
     description: 'comma-separated list of vulnerability types (os,library)'
     required: false
     default: 'os,library'
@@ -55,7 +56,7 @@ inputs:
   cache-dir:
     description: 'specify where the cache is stored'
     required: false
-    default: ''
+    default: '${{ github.workspace }}/.cache/trivy'
   timeout:
     description: 'timeout (default 5m0s)'
     required: false
@@ -97,33 +98,63 @@ inputs:
   docker-host:
     description: 'unix domain socket path to use for docker scanning, ex. unix:///var/run/docker.sock'
     required: false
+  version:
+    description: 'Trivy version to use'
+    required: false
+    default: 'latest'
 
 runs:
-  using: 'docker'
-  image: "Dockerfile"
-  args:
-    - '-a ${{ inputs.scan-type }}'
-    - '-b ${{ inputs.format }}'
-    - '-c ${{ inputs.template }}'
-    - '-d ${{ inputs.exit-code }}'
-    - '-e ${{ inputs.ignore-unfixed }}'
-    - '-f ${{ inputs.vuln-type }}'
-    - '-g ${{ inputs.severity }}'
-    - '-h ${{ inputs.output }}'
-    - '-i ${{ inputs.image-ref }}'
-    - '-j ${{ inputs.scan-ref }}'
-    - '-k ${{ inputs.skip-dirs }}'
-    - '-l ${{ inputs.input }}'
-    - '-m ${{ inputs.cache-dir }}'
-    - '-n ${{ inputs.timeout }}'
-    - '-o ${{ inputs.ignore-policy }}'
-    - '-p ${{ inputs.hide-progress }}'
-    - '-q ${{ inputs.skip-files }}'
-    - '-r ${{ inputs.list-all-pkgs }}'
-    - '-s ${{ inputs.scanners }}'
-    - '-t ${{ inputs.trivyignores }}'
-    - '-u ${{ inputs.github-pat }}'
-    - '-v ${{ inputs.trivy-config }}'
-    - '-x ${{ inputs.tf-vars }}'
-    - '-z ${{ inputs.limit-severities-for-sarif }}'
-    - '-y ${{ inputs.docker-host }}'
+  using: 'composite'
+  steps:
+    - name: Install Trivy
+      shell: bash
+      run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin ${{ inputs.version }}
+
+    - name: Restore DB from cache
+      uses: actions/cache@v4
+      with:
+        path: ${{ inputs.cache-dir }}
+        key: cache-trivy-db-${{ github.run_id }}
+        restore-keys: cache-trivy-db- # In most cases, the cache is restored by 'restore-keys'.
+
+    - name: Set GitHub Path
+      run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
+      shell: bash
+      env:
+        GITHUB_ACTION_PATH: ${{ github.action_path }}
+
+    - name: Run Trivy
+      shell: bash
+      run: entrypoint.sh
+      env:
+        # For shell script
+        # > If the action is written using a composite, then it will not automatically get INPUT_<VARIABLE_NAME>
+        # cf. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+        INPUT_SCAN_TYPE: ${{ inputs.scan-type }}
+        INPUT_IMAGE_REF: ${{ inputs.image-ref }}
+        INPUT_SCAN_REF: ${{ inputs.scan-ref }}
+        INPUT_TRIVYIGNORES: ${{ inputs.trivyignores }}
+        INPUT_GITHUB_PAT: ${{ inputs.github-pat }}
+        INPUT_LIMIT_SEVERITIES_FOR_SARIF: ${{ inputs.limit-severities-for-sarif }}
+
+        # For Trivy
+        # cf. https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
+        TRIVY_INPUT: ${{ inputs.input }}
+        TRIVY_EXIT_CODE: ${{ inputs.exit-code }}
+        TRIVY_IGNORE_UNFIXED: ${{ inputs.ignore-unfixed }}
+        TRIVY_PKG_TYPES: ${{ inputs.vuln-type }}
+        TRIVY_SEVERITY: ${{ inputs.severity }}
+        TRIVY_FORMAT: ${{ inputs.format }}
+        TRIVY_TEMPLATE: ${{ inputs.template }}
+        TRIVY_OUTPUT: ${{ inputs.output }}
+        TRIVY_SKIP_DIRS: ${{ inputs.skip-dirs }}
+        TRIVY_SKIP_FILES: ${{ inputs.skip-files }}
+        TRIVY_CACHE_DIR: ${{ inputs.cache-dir }}
+        TRIVY_TIMEOUT: ${{ inputs.timeout }}
+        TRIVY_IGNORE_POLICY: ${{ inputs.ignore-policy }}
+        TRIVY_QUIET: ${{ inputs.hide-progress }}
+        TRIVY_LIST_ALL_PKGS: ${{ inputs.list-all-pkgs }}
+        TRIVY_SCANNERS: ${{ inputs.scanners }}
+        TRIVY_CONFIG: ${{ inputs.trivy-config }}
+        TRIVY_TF_VARS: ${{ inputs.tf-vars }}
+        TRIVY_DOCKER_HOST: ${{ inputs.docker-host }}

entrypoint.sh

@@ -1,216 +1,57 @@
 #!/bin/bash
-set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:y:z:" o; do
-   case "${o}" in
-       a)
-         export scanType=${OPTARG}
-       ;;
-       b)
-         export format=${OPTARG}
-       ;;
-       c)
-         export template=${OPTARG}
-       ;;
-       d)
-         export exitCode=${OPTARG}
-       ;;
-       e)
-         export ignoreUnfixed=${OPTARG}
-       ;;
-       f)
-         export vulnType=${OPTARG}
-       ;;
-       g)
-         export severity=${OPTARG}
-       ;;
-       h)
-         export output=${OPTARG}
-       ;;
-       i)
-         export imageRef=${OPTARG}
-       ;;
-       j)
-         export scanRef=${OPTARG}
-       ;;
-       k)
-         export skipDirs=${OPTARG}
-       ;;
-       l)
-         export input=${OPTARG}
-       ;;
-       m)
-         export cacheDir=${OPTARG}
-       ;;
-       n)
-         export timeout=${OPTARG}
-       ;;
-       o)
-         export ignorePolicy=${OPTARG}
-       ;;
-       p)
-         export hideProgress=${OPTARG}
-       ;;
-       q)
-         export skipFiles=${OPTARG}
-       ;;
-       r)
-         export listAllPkgs=${OPTARG}
-       ;;
-       s)
-         export scanners=${OPTARG}
-       ;;
-       t)
-         export trivyIgnores=${OPTARG}
-       ;;
-       u)
-         export githubPAT=${OPTARG}
-       ;;
-       v)
-         export trivyConfig=${OPTARG}
-       ;;
-       x)
-         export tfVars=${OPTARG}
-       ;;
-       y)
-         export dockerHost=${OPTARG}
-       ;;
-       z)
-         export limitSeveritiesForSARIF=${OPTARG}
-       ;;
-  esac
-done
+set -euo pipefail
 
-
-scanType=$(echo $scanType | tr -d '\r')
-export artifactRef="${imageRef}"
-if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] ||  [ "${scanType}" = "config" ] ||  [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
-  artifactRef=$(echo $scanRef | tr -d '\r')
-fi
-input=$(echo $input | tr -d '\r')
-if [ $input ]; then
-  artifactRef="--input $input"
+# Set artifact reference
+scanType="${INPUT_SCAN_TYPE:-image}"
+scanRef="${INPUT_SCAN_REF:-.}"
+if [ -n "${INPUT_IMAGE_REF:-}" ]; then
+  scanRef="${INPUT_IMAGE_REF}" # backwards compatibility
 fi
-#trim leading spaces for boolean params
-ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
-hideProgress=$(echo $hideProgress | tr -d '\r')
-limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
 
-GLOBAL_ARGS=""
-if [ $cacheDir ];then
-  GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
-fi
+# Handle trivy ignores
+if [ -n "${INPUT_TRIVYIGNORES:-}" ]; then
+  ignorefile="./trivyignores"
 
-SARIF_ARGS=""
-ARGS=""
-format=$(echo $format | xargs)
-if [ $format ];then
- ARGS="$ARGS --format $format"
-fi
-if [ $template ] ;then
- ARGS="$ARGS --template $template"
-fi
-if [ $exitCode ];then
- ARGS="$ARGS --exit-code $exitCode"
- SARIF_ARGS="$SARIF_ARGS --exit-code $exitCode"
-fi
-if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
-  ARGS="$ARGS --ignore-unfixed"
-  SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
-fi
-if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
-  ARGS="$ARGS --vuln-type $vulnType"
-  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
-fi
-if [ $scanners ];then
-  ARGS="$ARGS --scanners $scanners"
-  SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
-fi
-if [ $severity ];then
-  ARGS="$ARGS --severity $severity"
-fi
-if [ $output ];then
-  ARGS="$ARGS --output $output"
-fi
-if [ $skipDirs ];then
-  for i in $(echo $skipDirs | tr "," "\n")
-  do
-    ARGS="$ARGS --skip-dirs $i"
-    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
-  done
-fi
-if [ $tfVars ] && [ "$scanType" == "config" ];then
-  ARGS="$ARGS --tf-vars $tfVars"
-fi
+  # Clear the ignore file if it exists, or create a new empty file
+  : > "$ignorefile"
 
-if [ $trivyIgnores ];then
-  for f in $(echo $trivyIgnores | tr "," "\n")
-  do
+  for f in ${INPUT_TRIVYIGNORES//,/ }; do
     if [ -f "$f" ]; then
       echo "Found ignorefile '${f}':"
       cat "${f}"
-      cat "${f}" >> ./trivyignores
+      cat "${f}" >> "$ignorefile"
     else
-      echo "ERROR: cannot find ignorefile '${f}'."
+      echo "ERROR: cannot find ignorefile '${f}'." >&2
       exit 1
     fi
   done
-  ARGS="$ARGS --ignorefile ./trivyignores"
-fi
-if [ $timeout ];then
-  ARGS="$ARGS --timeout $timeout"
-  SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
-fi
-if [ $ignorePolicy ];then
-  ARGS="$ARGS --ignore-policy $ignorePolicy"
-  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
-fi
-if [ "$hideProgress" == "true" ];then
-  ARGS="$ARGS --quiet"
-  SARIF_ARGS="$SARIF_ARGS --quiet"
-fi
-if [ $dockerHost ];then
-  ARGS="$ARGS --docker-host $dockerHost"
+  export TRIVY_IGNOREFILE="$ignorefile"
 fi
 
-listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
-if [ "$listAllPkgs" == "true" ];then
-  ARGS="$ARGS --list-all-pkgs"
-fi
-if [ "$skipFiles" ];then
-  for i in $(echo $skipFiles | tr "," "\n")
-  do
-    ARGS="$ARGS --skip-files $i"
-    SARIF_ARGS="$SARIF_ARGS --skip-files $i"
-  done
+# Handle SARIF
+if [ "${TRIVY_FORMAT:-}" = "sarif" ]; then
+  if [ "${INPUT_LIMIT_SEVERITIES_FOR_SARIF:-false,,}" != "true" ]; then
+    echo "Building SARIF report with all severities"
+    unset TRIVY_SEVERITY
+  else
+    echo "Building SARIF report"
+  fi
 fi
 
-trivyConfig=$(echo $trivyConfig | tr -d '\r')
-# To make sure that uploda GitHub Dependency Snapshot succeeds, disable the script that fails first.
-set +e
-if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
-  # SARIF is special. We output all vulnerabilities,
-  # regardless of severity level specified in this report.
-  # This is a feature, not a bug :)
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
-elif [ $trivyConfig ]; then
-   echo "Running Trivy with trivy.yaml config from: " $trivyConfig
-   trivy --config $trivyConfig ${scanType} ${artifactRef}
-else
-   echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
-   echo "Global options: " "${GLOBAL_ARGS}"
-   trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
-fi
+# Run Trivy
+cmd=(trivy "$scanType" "$scanRef")
+echo "Running Trivy with options: ${cmd[*]}"
+"${cmd[@]}"
 returnCode=$?
 
-set -e
-if [[ "${format}" == "github" ]]; then
-  if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
+if [ "${TRIVY_FORMAT:-}" = "github" ]; then
+  if [ -n "${INPUT_GITHUB_PAT:-}" ]; then
     printf "\n Uploading GitHub Dependency Snapshot"
-    curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
+    curl -H 'Accept: application/vnd.github+json' -H "Authorization: token ${INPUT_GITHUB_PAT}" \
+         "https://api.github.com/repos/$GITHUB_REPOSITORY/dependency-graph/snapshots" -d @"${TRIVY_OUTPUT:-}"
   else
-    printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
+    printf "\n Failing GitHub Dependency Snapshot. Missing github-pat" >&2
   fi
 fi
 
-exit $returnCode
+exit $returnCode