Use this action to perform static application security testing (SAST) on a repository with the Trivy scanner, and then view comprehensive security results in the CloudBees platform.
This action is available on the GitHub marketplace.
Prerequisites
Set up the CloudBees platform and GHA to work together, providing key features of the platform to GHA workflows. Refer to Getting started for more information.
Inputs
Input name | Data type | Required? | Description | ||
---|---|---|---|---|---|
|
String |
Yes |
The path of the binary to be scanned.
|
||
|
String |
Yes |
|||
|
String |
No |
The CloudBees platform URL.
The default value is |
||
|
Boolean |
No |
The option to perform license scanning.
Specify |
Usage examples
Basic example
The following is a basic example of using this action:
- name: Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v1 with: binary-tar-path: example-tar-path.tar cloudbees-pat : ${{ secrets.CloudBees-platform-PAT }}
Example using license scan
In the following example, the license option is enabled to scan the binary for license files, and then output the risk to CloudBees platform analytics dashboards. To learn more, refer to the Trivy license scanning documentation.
- name: Trivy SAST scan uses: cloudbees-io-gha/trivy-scan-publish@v1 with: binary-tar-path: example-tar-path.tar cloudbees-pat: ${{ secrets.CloudBees-platform-PAT }} license: true
Full workflow and run example
The following GHA workflow example builds a Docker binary using Buildx, saves the image as a TAR file, and then scans the image with Trivy.
Example GHA workflow YAML file
After the GHA run has completed, the security findings are collected and displayed in the Security center of the component containing the workflow.
