trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Add support for --dependency-tree option

Open rcarpio-hbo opened this issue 2 years ago • 2 comments

Using the command line it is possible to use the --dependency-tree to show dependency origin tree like:

trivy fs --dependency-tree ...

Reviewing the trivy-action documentation, I have seen that there is not a parameter to configure trivy to see the dependency tree.

I propose to have a new parameter to allow this.

....
        with:
          scan-ref: .
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'table'
          dependency-tree: true
....

rcarpio-hbo avatar Jul 05 '22 15:07 rcarpio-hbo

hi @rcarpio-hbo - thanks for the idea but what is the use case for such a feature? The current Trivy GitHub Action is meant for CI pipelines to be automatically secured (fail the deployment) if vulnerabilities (or other misconfigurations, secrets etc.) are found.

simar7 avatar Jul 07 '22 00:07 simar7

I think there was a misunderstanding here, I updated the issue description to remove the exit-code: '0' option since it was added because I made some test. It is not a mandatory option for this feature.

My idea with this issuie is to add the dependency-tree option to the action.

This is PR for the code: https://github.com/aquasecurity/trivy-action/pull/141

rcarpio-hbo avatar Jul 07 '22 07:07 rcarpio-hbo