trivy-action
trivy-action copied to clipboard
Add support for --dependency-tree option
Using the command line it is possible to use the --dependency-tree
to show dependency origin tree like:
trivy fs --dependency-tree ...
Reviewing the trivy-action documentation, I have seen that there is not a parameter to configure trivy to see the dependency tree.
I propose to have a new parameter to allow this.
....
with:
scan-ref: .
scan-type: 'fs'
ignore-unfixed: true
format: 'table'
dependency-tree: true
....
hi @rcarpio-hbo - thanks for the idea but what is the use case for such a feature? The current Trivy GitHub Action is meant for CI pipelines to be automatically secured (fail the deployment) if vulnerabilities (or other misconfigurations, secrets etc.) are found.
I think there was a misunderstanding here, I updated the issue description to remove the exit-code: '0'
option since it was added because I made some test. It is not a mandatory option for this feature.
My idea with this issuie is to add the dependency-tree
option to the action.
This is PR for the code: https://github.com/aquasecurity/trivy-action/pull/141