GitHub action: Trivy scan and publish to the CloudBees platform

2 minute read

Use this action to perform static application security testing (SAST) on a repository with the Trivy scanner, and then view comprehensive security results in the CloudBees platform.

This action is available on the GitHub marketplace.

Prerequisites

Set up the CloudBees platform and GHA to work together, providing key features of the platform to GHA workflows. Refer to Getting started for more information.

Inputs

Table 1. Input details
Input name Data type Required? Description

binary-tar-path

String

Yes

The path of the binary to be scanned.

The binary file must be in the TAR format.

cloudbees-pat

String

Yes

cloudbees-url

String

No

The CloudBees platform URL. The default value is "https://api.cloudbees.io".

license

Boolean

No

The option to perform license scanning. Specify license: true to perform license scanning.

Usage examples

Basic example

The following is a basic example of using this action:

- name: Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v1 with: binary-tar-path: example-tar-path.tar cloudbees-pat : ${{ secrets.CloudBees-platform-PAT }}

Example using license scan

In the following example, the license option is enabled to scan the binary for license files, and then output the risk to CloudBees platform analytics dashboards. To learn more, refer to the Trivy license scanning documentation.

- name: Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v1 with: binary-tar-path: example-tar-path.tar cloudbees-pat: ${{ secrets.CloudBees-platform-PAT }} license: true

Full workflow and run example

The following GHA workflow example builds a Docker binary using Buildx, saves the image as a TAR file, and then scans the image with Trivy.

Example GHA workflow YAML file
name: GHA workflow with Trivy SAST scan on: push: branches: - mains jobs: trivy-scan: runs-on: ubuntu-latest steps: - name: Check out source code uses: actions/checkout@v3 - name: Set up Docker buildx uses: docker/setup-buildx-action@v2 - name: Build Docker image run: | docker build -t myapp:latest . - name: Run Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v1 with: binary-tar-path: output.tar cloudbees-pat: ${{ secrets.CLOUDBEES_PAT }}

After the GHA run has completed, the security findings are collected and displayed in the Security center of the component containing the workflow.

Trivy results in security center
Figure 1. Example Trivy scanning results highlighted.