CloudBees action: Scan with Trivy

2 minute read

Use this action to scan container images with the Trivy scanner, to identify and fix security vulnerabilities. You can also use the action output as a quality gate for the next step or job in your workflow.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

binary-tar-path

String

Yes

The path of the binary to be scanned.

The binary file must be in the TAR format.

license

Boolean

No

The option to perform license scanning. Specify license: true to perform license scanning.

Outputs

Table 2. Output details
Output name Data type Description

critical-count

String

The number of Critical security findings discovered during the scan.

very-high-count

String

The number of Very high security findings discovered during the scan.

high-count

String

The number of High security findings discovered during the scan.

medium-count

String

The number of Medium security findings discovered during the scan.

low-count

String

The number of Low security findings discovered during the scan.

Usage examples

Basic example

The following is a basic example of using the action:

- name: Scan with Trivy uses: cloudbees-io/trivy-plugin@v1 with: binary-tar-path: /path/to/binary.tar

Using the action output

Access the output values in downstream steps and jobs using the outputs context.

Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:

${{steps.<action_step_ID>.outputs.<severity>}}

The following example uses the action output in a downstream step of the same job:

name: my-workflow kind: workflow apiVersion: automation.cloudbees.io/v1alpha1 on: push: branches: - main permissions: scm-token-own: read scm-token-org: read id-token: write jobs: trivy-scan-job: steps: - name: check out source code uses: cloudbees-io/checkout@v1 - id: trivy-step name: trivy scan uses: cloudbees-io/trivy-plugin@v1 with: binary-tar-path: /path/to/binary.tar - name: source dir examine uses: docker://golang:1.20.3-alpine3.17 shell: sh run: | ls -latR /cloudbees/workspace - id: print-outputs-from-trivy-step name: print outputs from upstream trivy step uses: docker://alpine:latest run: | #printing all outputs echo "Outputs from upstream trivy step:" echo "Critical count: ${{steps.trivy-step.outputs.critical-count}}" echo "Very high count: ${{steps.trivy-step.outputs.very-high-count}}" echo "High count: ${{steps.trivy-step.outputs.high-count}}" echo "Medium count: ${{steps.trivy-step.outputs.medium-count}}" echo "Low count: ${{steps.trivy-step.outputs.low-count}}"

The following example uses the action output in a downstream job:

name: my-workflow kind: workflow apiVersion: automation.cloudbees.io/v1alpha1 on: push: branches: - main permissions: scm-token-own: read scm-token-org: read id-token: write jobs: job1: outputs: trivy-job-output-critical: ${{ steps.trivy-step.outputs.critical-count }} trivy-job-output-very-high: ${{ steps.trivy-step.outputs.very-high-count }} trivy-job-output-high: ${{ steps.trivy-step.outputs.high-count }} trivy-job-output-medium: ${{ steps.trivy-step.outputs.medium-count }} trivy-job-output-low: ${{ steps.trivy-step.outputs.low-count }} steps: - name: check out source code uses: cloudbees-io/checkout@v1 with: repository: my-gh-repo-org/my-repo ref: main token: ${{ secrets.GIT_PAT }} - id: trivy-step name: trivy scan uses: cloudbees-io/trivy-plugin@v1 with: binary-tar-path: /path/to/binary.tar job2: needs: job1 steps: - id: print-outputs-from-job1 name: print outputs from upstream job1 uses: docker://alpine:latest run: | # Printing all outputs echo "Outputs from upstream trivy job:" echo "Critical count: ${{ needs.job1.outputs.trivy-job-output-critical }}" echo "Very high count: ${{ needs.job1.outputs.trivy-job-output-very-high }}" echo "High count: ${{ needs.job1.outputs.trivy-job-output-high }}" echo "Medium count: ${{ needs.job1.outputs.trivy-job-output-medium }}" echo "Low count: ${{ needs.job1.outputs.trivy-job-output-low }}"