trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Use custom template

Open nleconte-csgroup opened this issue 2 years ago • 6 comments

Hello, I wrote a very basic CSV template for trivy and I would like to use it with the trivy GitHub action.

nleconte-csgroup avatar Jun 21 '22 15:06 nleconte-csgroup

hi @nleconte-csgroup - that's cool, what were you looking to do with it?

simar7 avatar Jun 21 '22 20:06 simar7

Hey @simar7 , well it's just that we cannot load new template file with the trivy GitHub action. At the moment it is only possible to directly write the template file content into the template input :

     - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '{{- $critical := 0 }}{{- $high := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- if  eq .Severity "CRITICAL" }}{{- $critical = add $critical 1 }}{{- end }}{{- if  eq .Severity "HIGH" }}{{- $high = add $high 1 }}{{- end }}{{- end }}{{- end }}Critical: {{ $critical }}, High: {{ $high }}'

It would be nice to be able to directly provide a template file as input, like below (supposing a checkout action is executed before in order to load the template file from the repository) :

     - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/custom.tpl'
          template-file: 'custom.tpl'

Is it possible to add such a feature ?

nleconte-csgroup avatar Jun 22 '22 08:06 nleconte-csgroup

hi @nleconte-csgroup - got it. That's a great idea, we'd welcome a PR from you if you decide to contribute one! Let us know how we can help in any way (testing, reviewing etc.)

simar7 avatar Jun 22 '22 18:06 simar7

Hey @nleconte-csgroup, I ran into this issue on Google while I was trying to do the same thing. I know your post is a year old, but I found the solution in case anyone else finds this thread looking for it.

So it turns out that the Trivy scanner from aquasecurity/trivy-action runs inside a docker instance within your job. It actually mounts your checked out repository from actions/checkout as a volume inside the container that runs the scanner. The mapping looks like this in Trivy's workflow debug log:

-v "/home/runner/work/YOUR/REPOSITORY":"/github/workspace"

This means that if you want to give the scanner a template file, you have to use the container's internal filesystem structure, not the normal runner filesystem structure.

So, for example you had a Trivy remplate file in the root of your repository called template.tpl. Your template config lines in your Trivy action step should look like this:

format: 'template'
template: '@/github.workspace/template.tpl'

This is certainly not intuitive whatsoever and probably not the best design structure for this config flag, but this is the way to do it. Hope this helps!

neonspectra avatar Jun 23 '23 18:06 neonspectra

@neonspectra Thanks for this, I was able to do it with:

format: template
template: "@/github/workspace/software/trivy/templates/markdown.tpl"

AshwinSarimin avatar Feb 15 '24 15:02 AshwinSarimin

@AshwinSarimin would you be so kind to share the markdown.tpl? 🙏

jornbeyers avatar Feb 26 '24 09:02 jornbeyers