Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonpermissionsjobs.<job_id>.<job_id>.delegates.<job_id>.env.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
Introduction
Learn about feature management
Create flags in code
Manage multiple SDK keys in your application
Create/manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Configuration as code
Flag impressions and activity status
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin app.NET Core appReact appSpring Boot appSwift iOS app

CloudBees action: Scan with Trivy

2 minute read

Use this action to scan container images with the Trivy scanner, to identify and fix security vulnerabilities. You can also use the action output as a quality gate for the next step or job in your workflow.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

binary-tar-path

String

Yes

The path of the binary to be scanned.

The binary file must be in the TAR format.

license

Boolean

No

The option to perform license scanning. Specify license: true to perform license scanning.

Outputs

Table 2. Output details
Output name Data type Description

critical-count

String

The number of Critical security findings discovered during the scan.

very-high-count

String

The number of Very high security findings discovered during the scan.

high-count

String

The number of High security findings discovered during the scan.

medium-count

String

The number of Medium security findings discovered during the scan.

low-count

String

The number of Low security findings discovered during the scan.

Usage examples

Basic example

The following is a basic example of using the action:

      - name: Scan with Trivy
        uses: cloudbees-io/trivy-plugin@v1
        with:
          binary-tar-path: /path/to/binary.tar

Using the action output

Access the output values in downstream steps and jobs using the outputs context.

Use the output in your workflow as follows, where <action_step_ID> is the action step ID, and <severity> is an output parameter name, such as critical-count:

${{steps.<action_step_ID>.outputs.<severity>}}

The following example uses the action output in a downstream step of the same job:

name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1

on:
  push:
    branches:
      - main

permissions:
  scm-token-own: read
  scm-token-org: read
  id-token: write

jobs:
  trivy-scan-job:
    steps:
      - name: check out source code
        uses: cloudbees-io/checkout@v1

      - id: trivy-step
        name: trivy scan
        uses: cloudbees-io/trivy-plugin@v1
        with:
          binary-tar-path: /path/to/binary.tar

      - name: source dir examine
        uses: docker://golang:1.20.3-alpine3.17
        shell: sh
        run: |
          ls -latR /cloudbees/workspace

      - id: print-outputs-from-trivy-step
        name: print outputs from upstream trivy step
        uses: docker://alpine:latest
        run: |
            #printing all outputs
            echo "Outputs from upstream trivy step:"
            echo "Critical count: ${{steps.trivy-step.outputs.critical-count}}"
            echo "Very high count: ${{steps.trivy-step.outputs.very-high-count}}"
            echo "High count: ${{steps.trivy-step.outputs.high-count}}"
            echo "Medium count: ${{steps.trivy-step.outputs.medium-count}}"
            echo "Low count: ${{steps.trivy-step.outputs.low-count}}"

The following example uses the action output in a downstream job:

name: my-workflow
kind: workflow
apiVersion: automation.cloudbees.io/v1alpha1

on:
  push:
    branches:
      - main

permissions:
  scm-token-own: read
  scm-token-org: read
  id-token: write

jobs:
  job1:
    outputs:
      trivy-job-output-critical: ${{ steps.trivy-step.outputs.critical-count }}
      trivy-job-output-very-high: ${{ steps.trivy-step.outputs.very-high-count }}
      trivy-job-output-high: ${{ steps.trivy-step.outputs.high-count }}
      trivy-job-output-medium: ${{ steps.trivy-step.outputs.medium-count }}
      trivy-job-output-low: ${{ steps.trivy-step.outputs.low-count }}
    steps:
      - name: check out source code
        uses: cloudbees-io/checkout@v1
        with:
          repository: my-gh-repo-org/my-repo
          ref: main
          token: ${{ secrets.GIT_PAT }}

      - id: trivy-step
        name: trivy scan
        uses: cloudbees-io/trivy-plugin@v1
        with:
          binary-tar-path: /path/to/binary.tar

  job2:
    needs: job1
    steps:
      - id: print-outputs-from-job1
        name: print outputs from upstream job1
        uses: docker://alpine:latest
        run: |
          # Printing all outputs
          echo "Outputs from upstream trivy job:"
          echo "Critical count: ${{ needs.job1.outputs.trivy-job-output-critical }}"
          echo "Very high count: ${{ needs.job1.outputs.trivy-job-output-very-high }}"
          echo "High count: ${{ needs.job1.outputs.trivy-job-output-high }}"
          echo "Medium count: ${{ needs.job1.outputs.trivy-job-output-medium }}"
          echo "Low count: ${{ needs.job1.outputs.trivy-job-output-low }}"
Sonatype (Nexus) Container