security/trivy¶

Runs Trivy vulnerability scanning, SBOM generation, or container image scanning.

Usage¶

- uses: wphillipmoore/standard-actions/actions/security/trivy@develop
  with:
    scan-type: fs
    scan-ref: "."
    severity: "CRITICAL,HIGH"
    exit-code: "1"
    scanners: "vuln"
    output-file: "trivy-results.sarif"

Inputs¶

Name	Required	Default	Description
`scan-type`	Yes	—	Scan mode: `fs` (filesystem vuln scan to SARIF), `sbom` (CycloneDX SBOM generation), or `image` (container image scan to SARIF).
`scan-ref`	No	`.`	Filesystem path or container image reference to scan.
`severity`	No	`CRITICAL,HIGH`	Comma-separated severity levels to report.
`exit-code`	No	`1`	Exit code when vulnerabilities are found (`0` = advisory only).
`scanners`	No	`vuln`	Comma-separated Trivy scanners to enable.
`output-file`	No	`trivy-results.sarif`	Output file path for SARIF or SBOM results.

Permissions¶

security-events: write (required for SARIF upload when scan-type is fs or image)
contents: read

Behavior¶

The action branches based on scan-type:

Filesystem scan (`fs`)¶

Runs aquasecurity/trivy-action@0.34.0 with scan-type: fs against the specified scan-ref.
Outputs results in SARIF format.
Uploads the SARIF file to GitHub code scanning (category: trivy-fs).

Image scan (`image`)¶

Runs aquasecurity/trivy-action@0.34.0 with scan-type: image against the specified image reference.
Outputs results in SARIF format.
Uploads the SARIF file to GitHub code scanning (category: trivy-image).

SBOM generation (`sbom`)¶

Runs aquasecurity/trivy-action@0.34.0 with scan-type: fs and format: cyclonedx.
Outputs the SBOM to the specified output file. No SARIF upload.

Examples¶

Filesystem vulnerability scan¶

jobs:
  trivy:
    name: "security: trivy"
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: wphillipmoore/standard-actions/actions/security/trivy@develop
        with:
          scan-type: fs

Container image scan¶

- uses: wphillipmoore/standard-actions/actions/security/trivy@develop
  with:
    scan-type: image
    scan-ref: "myapp:latest"

SBOM generation (advisory only)¶

- uses: wphillipmoore/standard-actions/actions/security/trivy@develop
  with:
    scan-type: sbom
    output-file: sbom.cdx.json

GitHub configuration¶

GitHub Advanced Security (GHAS) — Must be enabled for SARIF upload (fs and image scan types).
Code scanning alerts — Results appear in Security > Code scanning alerts with categories trivy-fs or trivy-image.

security/trivy¶

Usage¶

Inputs¶

Permissions¶

Behavior¶

Filesystem scan (fs)¶

Image scan (image)¶

SBOM generation (sbom)¶

Examples¶

Filesystem vulnerability scan¶

Container image scan¶

SBOM generation (advisory only)¶

GitHub configuration¶

Filesystem scan (`fs`)¶

Image scan (`image`)¶

SBOM generation (`sbom`)¶