aquasecurity/trivy-action
Scan container images, filesystems, and IaC for vulnerabilities with Trivy.
What it does
aquasecurity/trivy-action wraps the Trivy scanner. It can scan a container image (scan-type: image), the repo filesystem (fs), a remote repo, or IaC config files, and report OS and library vulnerabilities.
With format: sarif the results can be uploaded to GitHub code scanning so findings appear in the Security tab.
Usage
workflow (.yml)
permissions:
contents: read
security-events: write # for SARIF upload
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@0.36.0
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
severity: HIGH,CRITICAL
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarifInputs
| Input | Description | Default | Required |
|---|---|---|---|
scan-type | Scan type to use for scanning vulnerability. | image | No |
image-ref | Image reference to scan (for image scans). | - | No |
scan-ref | Scan reference (path for fs/config scans). | . | No |
format | Output format (table, json, template). | table | No |
severity | Severities of vulnerabilities to be displayed. | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL | No |
exit-code | Exit code when vulnerabilities were found. | - | No |
ignore-unfixed | Ignore unfixed vulnerabilities. | false | No |
output | Writes results to a file with the specified file name. | - | No |
Notes
By default the step succeeds even when vulnerabilities are found. Set exit-code: 1 (usually with severity: HIGH,CRITICAL and ignore-unfixed: true) to make findings fail the build.
The vulnerability DB is cached per day under cache-dir; leave cache: true on to avoid re-downloading it every run.
Common errors
- Vulnerability-DB download failures (rate limiting pulling
trivy-dbfrom the public registry) intermittently fail runs. Keeping the built-in cache enabled makes this rare, and a retry usually clears it. - An image scan that cannot find the image usually means the image was built in a different job (no shared Docker daemon) or the registry needs a login step before scanning.
- The build passing despite CRITICAL findings is not an error:
exit-codeis unset by default, so Trivy reports and exits 0 unless you setexit-code: 1.
Security and pinning
- Pin the action to a commit SHA (the project itself pins its internal
setup-trivydependency by hash for exactly this reason) and pinversionrather than floating on latest Trivy. - SARIF upload needs
security-events: write; grant it on the job, not workflow-wide, and keep the rest of the token read-only.
Alternatives and related
actions/dependency-review-actionBlock pull requests that introduce dependencies with known vulnerabilities or bad licenses.
github/codeql-actionRun GitHub CodeQL static analysis to find security vulnerabilities in your code.
ossf/scorecard-actionRun OpenSSF Scorecard supply-chain checks on your repo and surface results in code scanning.
Frequently asked questions
How do I make Trivy fail the build only on serious, fixable issues?
Set
exit-code: 1, severity: HIGH,CRITICAL, and ignore-unfixed: true. The default configuration only reports and never fails the step.How do I get Trivy findings into the GitHub Security tab?
Use
format: sarif with an output file, then upload it with github/codeql-action/upload-sarif and security-events: write permission.